AEPD (Spain) - EXP202304146: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202304146 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00354-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...") |
No edit summary |
||
| Line 63: | Line 63: | ||
}} | }} | ||
The DPA fined a fintech company €72,000 after its inadequate measures | The DPA fined a fintech company €72,000 after its inadequate measures to verify its customer’s identity enabled fraudsters to take out a loan in the name of an unaware data subject. | ||
== English Summary == | == English Summary == | ||
| Line 70: | Line 70: | ||
On 21 August 2020, the data subject saw a job posting online. In order to apply for this position, the data subject was requested to send a selfie of them holding their ID card. | On 21 August 2020, the data subject saw a job posting online. In order to apply for this position, the data subject was requested to send a selfie of them holding their ID card. | ||
After that, they received a request by the controller to pay back a €200 loan. | After that, they received a request by the controller, a fintech company, to pay back a €200 loan. | ||
Since the data subject believed they had never entered in a loan agreement with the controller, they contacted the latter. The controller informed the data subject that on 21 August 2020 it had received a loan request from them and transferred the amount to a bank account. The loan contract had been signed through an electronic signature. | Since the data subject believed they had never entered in a loan agreement with the controller, they contacted the latter. The controller informed the data subject that on 21 August 2020 it had received a loan request from them and transferred the amount to a bank account. The loan contract had been signed through an electronic signature. | ||
Latest revision as of 15:27, 24 September 2024
| AEPD - EXP202304146 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6(1) GDPR Article 12 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 08.07.2024 |
| Published: | |
| Fine: | 72,000 EUR |
| Parties: | Wenance Lending de España S.A. |
| National Case Number/Name: | EXP202304146 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | fb |
The DPA fined a fintech company €72,000 after its inadequate measures to verify its customer’s identity enabled fraudsters to take out a loan in the name of an unaware data subject.
English Summary
Facts
On 21 August 2020, the data subject saw a job posting online. In order to apply for this position, the data subject was requested to send a selfie of them holding their ID card.
After that, they received a request by the controller, a fintech company, to pay back a €200 loan.
Since the data subject believed they had never entered in a loan agreement with the controller, they contacted the latter. The controller informed the data subject that on 21 August 2020 it had received a loan request from them and transferred the amount to a bank account. The loan contract had been signed through an electronic signature.
In addition, on 12 August 2022 the data subject asked the controller to delete their data. The controller did not reply to the request.
As for the deletion request, the controller later argued that it could not delete the data since the contract was still in force.
Holding
First, the DPA investigation showed that the data subject was victim of a fraud. The data subject sent their picture and ID card to the defrauder. With this documents the latter digitally signed the loan contract with the controller. Therefore, the data subject never expressed their willingness to enter in such an agreement with the controller.
Second, the DPA noted that the anti-fraud measures taken by the controller were insufficient. More specifically, the controller argued that one of these measures is that the amount of money cannot be transferred to accounts that have been opened for less than 3 months.
However, in the case at hand, the controller transferred the money even though the account had been opened only one day before the loan contract was signed.
Thirdly, the DPA pointed out that this lack of checks led to the transfer of the money to a bank account not owned by the data subject. The DPA added that, in Spain, a bank transfer is successful even if the name in the bank transfer form is different from the account’s actual holder name.
Therefore, the DPA found that the controller had processed personal data without a proper legal basis, since the data subject had never entered in a contract with the controller. For these reasons, it found a violation of Article 6(1) GDPR.
Fourthly, as for the deletion request, the DPA noted that the controller should have replied to the request even if it believed that the request should have been rejected. Therefore, it found a violation of Article 12 GDPR.
On these grounds, the DPA issued a €72,000 fine.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/28 File No.: EXP202304146 SANCTIONING PROCEDURE RESOLUTION From the procedure initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) filed a complaint with the Spanish Data Protection Agency on February 8, 2023. The claim is directed against WENANCE LENDING DE ESPAÑA, S.A. with NIF A67194746 (hereinafter, the respondent party, WELP or WENANCE). The reasons on which the claim is based are the following: The complaining party states that WENANCE is imputing a debt to it that does not correspond to it, since it comes from the contracting of a loan made in an allegedly fraudulent manner. The loan was contracted on August 21, 2020. Along with the notification, a burofax is provided addressed by the claimant to WENANCE, dated August 12, 2022, in which it informs the claimant that it does not recognize the debt, nor that it has contracted any credit with the defendant; it also requires the claimant to stop processing its data in the future. It is deduced that the burofax was sent by the claimant after having received a notification or request for payment of the credit entered into. To said burofax, the claimant attaches two complaints that it filed with the National Police for these events (filed in October and December 2020). The first of them contains facts that could explain a possible impersonation of the claimant's identity: “On August 21 [2020] I saw a job offer on the milanuncios page. That in the advertisement they gave the telephone number ***TELEPHONE.1 to contact. The declarant contacts this number, indicating that she should send a Selfie of herself with the photo of the DNI front and back. That the declarant does so and does not receive a response again. That on the date [06/10/2020] her mother has received a call in which a financial insurer tells her that she owes 200 euros plus interest on a loan she had requested. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/28 That the declarant calls said company by telephone at ***TELEPHONE.2, who informs her of her loan, stating that she owes 319 euros and that she has to return it. And that there is an associate in Banco Santander, but it is not in her name. That the declarant contacts the collections company “welp.es” by e-mail from where they provide her with the capture of the contract, which she provides herewith.” In addition, the claimant provides a document called “Exercise of the right of deletion” addressed to the respondent party dated 02/02/2023. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was forwarded to WENANCE, so that it could proceed to analyze it and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on March 31, 2023 as stated in the acknowledgement of receipt in the file. On May 4, 2023, this Agency received a response letter indicating the following: - The claimant effectively contracted a loan with WENANCE dated August 21, 2020. A copy of the same is provided. - At the time, she requested deletion of her personal data, but this could not be accepted because the contract was still in force - She claims that she considers the claimant's version "implausible" for several reasons: o In her opinion, it is impossible that on the same day that she gave her data to a third party, the latter opened a current account at Banco Santander (for the payment of the loan amount). o WENANCE only allows the amount of the requested credit to be sent to bank accounts that are more than three months old o WENANCE makes, through its payment service provider, a prior deposit to verify the ownership of the bank account o In addition, it notes that the complainant provides a complaint from October 2020, but is nevertheless surprised that two and a half years later there is no complaint or any type of judicial investigation C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/28 It provides a copy of the contract that would be signed electronically, by sending it to an email address and subsequent confirmation through a code sent by SMS to the mobile phone. The email address listed is: ***EMAIL.1. and the contact telephone line for sending the SMS: ***PHONE.1 THIRD: On May 8, 2023, in accordance with article 65 of the LOPDGDD, the claim submitted by the complaining party was admitted for processing. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, pursuant to the functions assigned to the control authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section Two, of the LOPDGDD, having knowledge, in essence, of the following: Date on which the claimed events took place: - Opening of the allegedly fraudulent loan: 08/21/2020 - Dates of police reports: 10/06/20 and 12/16/2020 - Date of submission of the burofax for the right of deletion to WENANCE: 12/08/2022. RESULT OF THE INVESTIGATION ACTIONS After analyzing the evidence of electronic signature of the contract provided by the respondent party, it is observed that: - It is a certificate issued by the trusted third party LLEIDANETWORKS Serveis Telemàtics S.A. (hereinafter ***URL.1), which is a qualified electronic trust service provider in accordance with the provisions of the eIDAS Regulation for the entire European Union and provides the qualified certified electronic delivery service, as published on the website of the Ministry of Economic Affairs and Digital Transformation. - The WELP CIF shown on the certificate is incorrect. The certificate shows: Welp.es (A12345678), when the actual WELP CIF is A67194746. The contract between WELP and ***URL.1 will be requested later and it will be confirmed that there is indeed a contract between them for certified electronic delivery, although in said contract the CIF also contains a typographical error: A97194746 instead of A67194746. - The signature evidence specified in the certificate is the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/28 2020-08-21 09:01:37 UTC-3: A certified process start type EMAIL has been sent to the email ***EMAIL.1. 2020-08-21 09:03:00 UTC-3: A certified OTP notification type SMS has been sent to the phone ***PHONE.1. 2020-08-21 09:03:26 UTC-3: Received an HTTPS request from IP ***IP.1 corresponding to the signing event. - Analyzing the evidence provided along with the previous data, it is perceived that: The email to start the process has originated in UTC-3 and the signature footer of the contract states Buenos Aires, Argentina. (Inspector's clarification: This origin is common in electronic communications certificates with WELP issued by ***URL.1.) The data where the email with the documentation and the SMS with the contract signature code are sent are: ***EMAIL.1 and ***PHONE.1. This phone number matches the phone number listed in the complaint filed with the police by the complainant, the phone number with which he allegedly contacted to send the photos and apply for the job. The data that appear in the SEPA Direct Debit Order as Debtor are: o Name and surname: A.A.A. o Address: Street ***ADDRESS.1 o Bank: BANCO SANTANDER o IBAN: ***IBAN.1 (Account number where the loan was received, whose holder is supposedly the claimant) Process of request to the claimant On June 16, 2023, the claimant is requested additional information to gather clarifications on the date and data provided for the job offer, on the means used to provide said data and on the results obtained from any investigation related to the matter, originating from the filing of police reports. No response has been received from the claimant. Request to BANCO SANTANDER On June 16, 2023, a request for information was sent to BANCO SANTANDER in which it requested, among other things, the data of the complainant that they have in their systems, information on all contracts entered into with the complainant, as well as the identification and contact information of the holder of the bank account ***ACCOUNT.1 and its registration and deregistration date. (Remember that this bank account is the one to which WELP sent the amount of the credit granted). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/28 BANCO SANTANDER sends its response dated June 26, 2023, in which it states that: 1.- The holder of the bank account ***ACCOUNT.1 corresponds to the client B.B.B., DNI ***NIF.1, as the only party/holder with registration date 08/20/2020 and cancellation 01/15/2021. It provides a screenshot of the contracts of the client B.B.B. together with their registration and cancellation dates. It is therefore observed that the account receiving the amount of the credit is not owned by the complaining party. 2.- Provide the following details of the client B.B.B.: - Email: ***EMAIL.2 - Telephone: ***PHONE.3 - Address: Street ***ADDRESS.2. - Client since April 14, 2020. 3.- Provide the following details of the complaining party: - Email: ***EMAIL.1 - Telephone: ***PHONE.1 - Address: Street ***ADDRESS.1. - Client since June 30, 2021. 4.- Provide the active contracts of the complaining party. Among them is a current account whose number does not match the data provided by WELP. Request for information from WELP. On June 16, 2023, a request for information was sent to WELP in which it was asked, among other things, for the data of the complainant that it had in its systems, information on all contracts entered into with the complainant, as well as a detailed description of the procedure for the contracting of this bank loan and a copy of the contacts maintained with the complainant and the claims received by it in relation to the reported facts. WELP sent its written statement of allegations on June 26, 2023 and expanded it on July 3, 2023, together with the following documentation: 1.- First written response to the request. 2.- Agreement on the appointment of WELP's DPO. 3.- “Documentary Set”: Document that includes the following documentation: 1- Details of the claimant: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/28 2- List of all contracted products. 3- Procedure for contracting WELP bank loans. 4- Procedure for contracting the loan originating the claim. 5- Agent Validation Annex, which validated the documentation manually. 6- Documentation collected in the formalization of the contract to verify the identity of the claimant. 7- Documents containing records and communications received by the claimant. Pages. 8- Contract signed between WELP and ***URL.1. 4.- Video with the audios of the communications held between the claimant and WENANCE in October 2020. 5.- Second written response to the request. 6.- Certificate from BANCO SANTANDER dated June 28, 2023, issuing the amount of the loan to the account of the beneficiary “A.A.A.”, ***ACCOUNT.1. Point 1.- Having requested the data of the claimant that they have in their systems, WELP sends screenshots of the different systems where the data and/or information relating to the claimant are recorded. The following information is noteworthy: Email: ***EMAIL.1 and ***PHONE.1. Telephones: (…). This last telephone number matches the one in SANTANDER's systems. IBAN: ***ACCOUNT.1. Cases (incidents) dated 06/10/2020, 06/10/2020, 07/10/2020, 21/01/2021 and 21/06/2021. Capture of incident, with the text “I am A.A.A. with Dni ***NIF.1 and I am contacting you because I have to report that my identity has been stolen, by signing a contract with you and the police have asked me to ask you for a proof showing the debt that is in my name and the phone number from which it was made in order to proceed with the complaint, I would like you to provide it to me. Many thanks” Transfer receipt dated 08/21/2020 in favor of ***NIF.1 CONCEPT Welp - 235212 It also provides the signed contract (similar to the one provided in the response to the transfer) and screenshots with information about said contract. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/28 Point 2.- Regarding the products contracted by the complainant, WELP shows Welp Bronce SI Full Loan for the amount of €200 with a subscription date of 08/21/2020. Point 3.- Having requested the Procedure for contracting bank loans, the respondent indicates: I. Loan application The loan was requested online. The application could be made by any natural person with an Internet connection and access to the page who met the following requirements: a. Be a legal resident in Spain. b. Be of legal age. c. Have a bank account in the name of the holder requesting the loan. d. Demonstrate recurring income. e. Have a telephone number. f. Have an email address. II. Classification of the application and request for documentation Within Wenance's usual operations, when the consumer loan application was for a value of less than one thousand euros (€1,000), in accordance with Wenance's Manual for the Prevention of Money Laundering and Financing of Terrorism and, specifically, with its Customer Acceptance Policy dated January 18, 2019, simplified due diligence measures were required, as established in article 16 h) of Royal Decree 304/2014, of May 5, approving the Regulation of Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism, which stipulated the following: "Obliged subjects may apply, depending on the risk, simplified due diligence measures regarding the following products or services: operations: h) Consumer credit contracts for an amount less than 2,500 euros provided that the repayment is made exclusively by charging a current account opened in the name of the debtor in a credit institution domiciled in the European Union or in equivalent third countries» Thus, in accordance with the above, Wenance carried out the following checks for said loans: a) completing an application form in which they provided the following personal information: 1. Name and surname. 2. Identification number (DNI/NIE). 3. Date of birth. 4. Address. 5. Income. 6. Telephone. 7. Email. 8. Bank account number. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/28 b) Subsequently, if the clients met the requirements, they had to send the following documentation, which would be subsequently verified by an agent from the Sales department: 1. Photo of the DNI/NIE, both the front and the back. 2. Selfie holding the identity document in the hand. 3. Proof of income. 4. Proof of ownership of the bank account. III. Validation Once the documentation was received, the Sales Department Agent validated that the data provided by the client matched the documentation provided. In addition, he verified that the client was the owner of the bank account, that the DNI/NIE was valid and that the selfie photo matched the photo on the DNI/NIE, (…). If the client met all the requirements, the loan application was approved. IV. Contracting Subsequently, the client received the contract by email for signature and was sent a code via SMS to proceed with the signing of the contract. Once the contract was signed, the operations department issued a transfer order to the indicated account manually and the requested amount was deposited. Point 4.- Regarding the contracting of the claimant's loan, WELP reports that it was requested online and simplified measures were applied since it did not exceed one thousand euros: a) completing the application form and indicating personal data. b) Sending the following documentation: 1. Photo of the DNI/NIE, both the front and the back. 2. Selfie holding the identity document in the hand. 3. Proof of income and copy of the last pay slip. 4. Proof of ownership of the bank account. “The loan was pre-approved and the documentation was verified by C.C.C., a former agent of the Sales department, who verified that the data provided by the client matched the attached documentation. In addition, she verified that the DNI data matched those reflected in the bank account. Likewise, she verified that the DNI was valid and that the selfie photo matched the photo on the DNI/NIE.” Point 5.- Regarding the security mechanisms and measures used by WELP to ensure the authenticity of the data provided by the client, the respondent party refers to a list of measures, taking into account what was explained in the previous points regarding the applicable procedure: “a) Request for a photocopy of the DNI. b) Request for a photograph holding the document, in order to make a comparison between the applicant and the bearer. c) Request for the last payroll and bank receipt of payment, to manually compare that the data contained in these corresponded with that of the holder of the D.N.I. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/28 d) Telephone call to the number listed to check its operation. e) Validation of all documentation manually by the agent in charge at that time. “ For this validation, WELP provides a copy of the Agent Validation Annex (DOC#2.5) in which in Note 2 it can be seen: “doc ok 08/21/2020 15:53 by C.C.C.” and “data ok 08/21/2020 16:33 by D.D.D.” “f) Request for double authentication factor between the email provided and the telephone, in order to mitigate the risk of falsification in the signing of the contract. g) Manual transfer of the loan amount to the client's account.” Point 6.- Once the documentation provided for the formalization of the contract has been requested, WELP sends a photo of the front and a photo of the back of the ID of the complainant, a photo of the complainant carrying the ID, proof of income and a copy of the last payroll. Both the proof of income provided for the formalization of the contract and the copy of the last payroll are included in (DOC#2.6) and specify the account number ***ACCOUNT.1, an account that has been verified not to belong to the complainant. These documents could be images of the original documents sent by the claimant in which the account number was subsequently modified, before being sent for the loan contract. The respondent has not provided proof of ownership of the bank account which had supposedly been verified by the former Sales Department agent C.C.C.. Point 7.- Having requested information on the checks carried out by Unnax to verify the correspondence of the current account data with the data provided in the loan application process, WELP explains that “After successive checks by WENANCE, it has been verified that, on the date of the loan contract by Ms. A.A.A., the verification service was not performed by UNNAX REGULATORY SERVICES, E.D.E, S.L. (UNNAX), but manually, as indicated in points 3 to 5”. Point 8.- Regarding the contacts maintained with the complainant, WELP provides documents containing records and communications received by the complainant and a video with the audios of the communications maintained between the complainant and WELP in October 2020. It is verified that the exchange of emails has been carried out between the addresses ***EMAIL.1 and ***EMAIL.3. In this exchange of emails it is seen that, in response to the request of the complainant for proof showing the debt in his name and the telephone number from which the complaint was made, WELP provides the amortization table of the loan. Subsequently, the complainant sends WELP a copy of the police report, report 14741/20. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/28 WELP does not indicate any response to the burofax submitted by the complainant dated August 12, 2022. The video provided consists of four audios, recordings of the calls made by the complainant or by her mother. The most relevant information from the calls is the following: Audio 1 (06/10/22): Call from the complainant's mother to WELP. She claims that WELP has called her phone (the mother's, E.E.E.), insists that they have never asked for a loan and requests that all her daughter's data be deleted. Audio 2 (06/10/22): WELP reports that there is proof of a transfer. WELP asks if the account ending in 3689 belongs to the complainant. The complainant confirms that he does not have any account at Banco Santander: (…). At minute 7:54, WELP says: "You have to report it because someone has your data. We are going to track the phone of whoever did it because we have a verification call." Audio 3 (10/07/22): WELP provides the email where the complainant has to send the complaint Audio 4 (10/08/22): The complainant reports that they have filed a complaint with the police and have sent the complaint by email to ***EMAIL.3. At minute 14:06, the complainant asks: "This, since it has already been reported, there will not be any problem, right?" to which WELP responds: "No, now the problem is with the person who made the loan." Point 9.- WELP expands its written allegations by providing a certificate from BANCO SANTANDER dated June 28, 2023, which states the issuance of the amount of the loan to the account of the beneficiary “A.A.A.”, ***ACCOUNT.1. (DOC#4) WELP indicates that “the previous certificate is relevant for the purposes of demonstrating the verification of the authenticity of the account carried out by WENANCE. This is because, as the process was carried out 2 years ago and it is not possible to consult the manual verification carried out by the agent assigned to the account, beyond the documents already provided that are in the WENANCE computer system, through this certificate it is possible to prove, as of today, that the account registered in the loan application is associated with the applicant and that it was to whom the transfer for the amount of the loan was made.” It has been verified that this document is a certificate issued and signed by SANTANDER and it reflects the data that were specified at the time of making the transfer. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/28 Article 59 (Incorrect unique identifiers) of Royal Decree-Law 19/2018, of November 23, on payment services and other urgent financial measures (hereinafter, RDLSP) establishes that: “1. When a payment order is executed in accordance with the unique identifier, it will be considered correctly executed in relation to the beneficiary specified in said identifier.” The extract from the 2020 complaints report of the Bank of Spain in relation to the Unique Identifier indicates: “The payment services regulations indicate that the unique identifier consists of a combination of letters, numbers or signs specified by the payment service provider to the user of said services, which the latter must provide in order to unequivocally identify the other user of the payment service or the payment account of that other user in a payment transaction, and which would be given by the account number (IBAN) provided for the execution of the payment order. Thus, in accordance with the provisions of article 59 of the RDLSP, when a payment order is executed according to the unique identifier, said order will be considered correctly executed in relation to the beneficiary indicated in said identifier, the payment service provider not being responsible for the non-execution or defective execution of the operation when the unique identifier provided by the user was incorrect. However, in such cases, the payment service provider of the ordering party is required to make reasonable efforts to recover the funds, and may charge for such efforts the recovery costs that had been agreed in the framework contract. The payment services regulations also do not establish the obligation of the entities to check that the name of the beneficiary corresponds to that of the holder of the account number of the destination of the transfer or other additional data, beyond the coincidence of the beneficiary IBAN with that indicated in the payment order.” Therefore, the certificate provided by WELP does not allow the ownership of the bank account to be accredited. The RDLSP regulations and the extract from the 2020 complaints report of the Bank of Spain in relation to the Unique Identifier are recorded in the SIGRID system as associated objects. Deductions from the inspection report on the claims of the respondent party. In summary, the statements made by the respondent party and which have been proven to be contradicted are shown: .- “In short, it is impossible that with a mere photo of the complainant with the ID card, an online bank account was opened on the same day that said photo was provided.” The bank account was previously created and it has been confirmed that the ownership of the account does not belong to the complainant. .- “Furthermore, my client, also as a party obliged under the regulations on the Prevention of Money Laundering, as recorded in its prevention manual C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/28 of money laundering and as part of its risk policy, only allows the contracting of loans with persons with bank accounts that are at least 3 months old.” It has been verified that the account was created on August 20, 2020, one day before the contracting of the loan that is the subject of the claim. .- “The above is also evident, since Unnax, through the payment provider, duly accredited under the PSD2 directive, makes a deposit into the applicant's current account (with prior permission) to check whether the current account data corresponds to that provided in the application process (ID, name and surname, address, etc.) and to analyse expenses, income, etc. in order to analyse the applicant's solvency.” The respondent party acknowledges that the validation to verify the correspondence of the current account data with the data provided in the loan application process was manual: “After successive checks by WENANCE, it has been verified that, on the date of the loan contract by Ms. A.A.A., the verification service was not carried out by UNNAX REGULATORY SERVICES, E.D.E, S.L. (UNNAX), but manually, […]”. .- “Lastly (and not least), the complainant provides a complaint from October 2020. Two and a half years later there is no complaint? No judicial investigation? We are talking about €200 being received in the current account ***ACCOUNT.1, which appears in the name of the complainant.” The current account does not appear in the name of the complainant. In addition, it has been verified that, in the recordings provided, WELP indicates to the complainant that they are going to take internal action: "You have to report it because someone has your data. We are going to trace the phone of whoever did it because we have a verification call." WELP also reassures the complainant: "This, as it has already been reported, there will be no problem, right?" to which WELP responds: "No, now the problem is with the person who made the loan." .- “[…] this certificate allows us to prove, as of today, that the account registered in the loan application is associated with the applicant and that the transfer for the amount of the loan was made to the applicant.” It has been verified that this document is a certificate issued and signed by SANTANDER and reflects the data specified at the time of making the transfer, but it does not allow us to prove the ownership of the bank account. CONCLUSIONS C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/28 Claim for debt arising from the contracting of a loan made in an allegedly fraudulent manner. The existence of a transfer from WELP to the beneficiary account of the loan has been demonstrated. It has been confirmed that the account benefiting from the loan does not belong to the complainant but to another person (B.B.B. DNI ***NIF.2) with a registration date of 08/20/2020 and deregistration on 01/15/2021. The account was created on August 20, 2020, one day before the contracting of the loan subject to the claim. It has been verified that the email address and telephone number with which the loan was contracted and which appear in WELP's databases do not match the email address and telephone number that SANTANDER has in its databases and which the complainant has used to contact WELP. It has been established that WELP was aware of the alleged fraudulent contracting since October 6, 2020. WELP has not provided proof of ownership of the bank account that it supposedly had to have manually reviewed for the contracting of the loan. Having requested a copy of the contacts maintained with the complainant in relation to the reported events, WELP does not indicate any response to the burofax submitted by the complainant dated August 12, 2022, although in the response to the transfer it explained that the complainant requested the right to delete the data, which could not be granted due to having an active and unpaid contract between the parties. It has been established that, in the recordings provided, the complainant requests that all data relating to this loan be deleted. The recordings warn that WELP was going to track the phone from which the contract was made, advise the complainant to file a complaint and reassure her that once the complaint has been filed there will be no problem. The complainant has not received notification of the request (by post) as of the date of signature of this report, but it is evident that she provided a lot of information (photos of ID, selfie with ID, payroll and proof of payroll transfer). It has been shown that the statements provided by the respondent in her allegations regarding the transfer are not correct. It has been verified that the SANTANDER certificate presented by the respondent, to prove that the account registered in the loan application is associated with the applicant, reflects the data that was specified at the time of making the transfer, but does not allow the ownership of the bank account to be proven. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/28 FIFTH: According to the report collected from the AXESOR tool, the entity WENANCE LENDING DE ESPAÑA, S.A. is a company established in 2018, and with a (…). SIXTH: On July 20, 2023, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent party, for the alleged violation of Article 12 of the GDPR and Article 6.1 of the GDPR, classified in Article 83.5 of the GDPR. SEVENTH: There is reliable evidence of the receipt by the interested party of the aforementioned initiation agreement, which has been notified in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). After the period granted for the formulation of allegations has elapsed, it has been noted that no allegations have been received from the respondent party. Article 64.2.f) of the LPACAP - a provision of which the respondent party was informed in the agreement to open the procedure - establishes that if no allegations are made within the period provided for regarding the content of the initiation agreement, when it contains a precise statement regarding the imputed liability, it may be considered a resolution proposal. In the present case, the agreement to initiate the sanctioning procedure determined the facts in which the charge was specified, the infringement of the GDPR attributed to the respondent and the sanction that could be imposed. Therefore, taking into consideration that the respondent party has not made allegations to the agreement to initiate the procedure and in accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement to initiate the procedure is considered in the present case a resolution proposal. In view of all the actions taken, the following facts are considered proven by the Spanish Data Protection Agency in the present procedure: PROVEN FACTS FIRST. The complainant declares that on August 21, 2020, he saw a job offer on the website “milanuncios”. The advertisement gave the telephone number ***TELEPHONE.1 to contact. After contacting that number, the complainant claims to have sent a selfie of himself with the photo of the front and back of his ID. SECOND. On 08/21/2020, WENANCE entered into a consumer credit contract, in which, as the borrower, the following data appear: “1. Customer data Name and surname: A.A.A. Date of birth: XXXXXX Address: ***ADDRESS.1 Mobile phone: ***PHONE.1 Email: ***EMAIL.1 NIF/NIE: ***NIF.1 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/28 THIRD. The formalization of the celebration of the contract referred to in the proven fact above was carried out through the following procedure: According to the data that appear in the certificate issued by the telecommunications operator LLEIDANETWORKS Serveis Telemàtics S.A. as a trusted service provider, the following steps were followed for the celebration of the contract electronically: - (…). FOURTH. The credit amount was deposited in the current account with code ***ACCOUNT.1. According to the certificate from Banco Santander that appears in the file: 1.- The holder of the bank account ***ACCOUNT.1 corresponds to the client B.B.B., DNI ***NIF.2, (…). 2.- The following details of the client B.B.B. are provided: - Email: ***EMAIL.2 - Telephone: ***TELEPHONE.2 - Address: ***ADDRESS.2. - Client since XXXXXXXXX This proves that the amount of the credit was deposited in a bank account owned by a person other than the claimant. FIFTH. The procedure for granting the credit established by the respondent, depending on the amount of the same, was the following: a) Completion of the application form indicating personal data. b) Submission of the following documentation: a. Photo of the DNI/NIE, both the front and the back. b. Selfie holding the identity document in the hand. c. Proof of income and copy of the last pay slip. d. Proof of ownership of the bank account. SIXTH: The respondent has not provided proof of ownership of the bank account that was supposedly verified by the former Sales department agent. SEVENTH. In relation to the verification of the ownership of the bank account into which the amount of the requested credit was to be paid, the respondent party stated that it had contracted a payment provider, duly accredited under the PSD2 directive, Unnax, a deposit into the applicant's current account (with prior permission) to check whether the current account details correspond to those provided in the application process (ID, name and surname, address, etc.) and to analyse the expenses, income, etc. in order to analyse the applicant's solvency. However, he subsequently claims that after successive checks by WENANCE, it was proven that, on the date the loan was taken out by Ms. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/28 A.A.A., the verification service was not carried out by UNNAX REGULATORY SERVICES, E.D.E, S.L. (UNNAX), but manually. The respondent party does not provide any documentation on said verification. EIGHTH. The respondent party claims to have a mechanism to prevent fraud, consisting of requiring as a requirement that the bank account into which the deposit is made is more than three months old. This requirement was not fulfilled, since according to the documentation in the file the dates are the following: - Date of opening of the receiving account at Banco Santander: 08/20/2020 - Date of signing the loan agreement: 08/21/2020 - Date of deposit of the amount into the bank account: 08/21/2020 NINTH. There is a burofax addressed by the claimant to WENANCE, dated August 12, 2022, by which it informs it that it does not recognize the debt, nor that it has contracted any credit with the defendant; it also requires it to stop processing its data in the future. WENANCE acknowledges having received it, indicating that the deletion could not be accepted because the execution of the contract is in force, in its opinion. As stated in the report on preliminary investigation actions, having requested a copy of the contacts maintained with the complainant in relation to the reported events, WELP does not indicate any response to the burofax submitted by the complainant dated August 12, 2022. LEGAL BASIS I Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants to each supervisory authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/28 II. Preliminary questions In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is evidence of the processing of personal data, since WENANCE LENDING DE ESPAÑA, S.A. carries out this activity in its capacity as controller of the processing, since it is the one who determines the purposes and means of such activity, pursuant to Article 4.7 of the GDPR: “Controller” or “controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing; if the law of the Union or of the Member States determines. III Applicable provisions Article 5 of the GDPR deals with the principles governing the processing of personal data, which provides: “1. Personal data will be: a) processed lawfully, fairly and in a transparent manner with the interested party (<<lawfulness, fairness and transparency>>) Section 2 of Article 5 of the GDPR establishes that “The data controller will be responsible for compliance with the provisions of section 1 and able to demonstrate it (<<proactive responsibility>>)” Article 6 of the GDPR under the heading “Lawfulness of processing” specifies in its section 1 the cases in which the processing of third party data is considered lawful: “1. Processing will only be lawful if it meets at least one of the following conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract to which the interested party is a party or for the implementation at the request of the latter of pre-contractual measures; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/28 The provisions of letter f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their functions.” IV Unfulfilled obligation The respondent party in this initiation agreement is accused of infringing Article 6.1 of the GDPR. The documentation in the file provides evidence that WENANCE processed the personal data of the complainant (name, surname, address, date of birth, DNI number) without any of the grounds for the lawfulness of the processing established in Article 6.1 of the GDPR being met. Indeed, as will be explained below, the respondent party has not provided documentation or information that allows it to be verified that the credit was actually contracted by the complainant. Recital 40 of the GDPR states on this issue: “For processing to be lawful, personal data must be processed with the consent of the data subject or on another legitimate basis established by law, either in this Regulation or by virtue of another Union or Member State law to which this Regulation refers, including the need to comply with the legal obligation applicable to the controller or the need to perform a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.” The administrative file contains a consumer credit contract, corresponding, in whose particular conditions the following appear as “customer data” : “1. Customer data Name and surname: A.A.A. Date of birth: XXXXXXX Address: ***ADDRESS.1 Mobile phone: ***PHONE.1 Email: ***EMAIL.1 NIF/NIE: ***NIF.1 The claimant has denied having given her consent to these contracts and having provided her personal data to WENANCE. She has filed a complaint with the Security Forces and Corps and has exercised her right to erasure against the respondent party. As will be detailed later, WENANCE did not take the necessary actions to ensure that the person taking out the loan was really the claimant party. Furthermore, it was not adequately ensured that the amount of the loan was received by the person who was listed as the borrower C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/28 It should be noted that, pursuant to the principle of proactive responsibility (Article 5.2 of the GDPR), which requires the controller of personal data to comply with the principles that govern it, which is of interest here, the principle of legality, and to be able to prove compliance, the burden of proof falls on the controller that the processing of the personal data of the complainant was covered by any of the circumstances of legality provided for in Article 6.1 of the GDPR. In the case at hand, the element of guilt, necessary for penalty liability to arise, results from the lack of diligence demonstrated by the respondent party in complying with article 6.1 of the GDPR. As seen in the background of the claim and subsequent allegations in the preliminary investigation phase, the arguments put forward by the respondent party are basically the following: - Execution of the loan contract and confirmation of the same through a certified electronic signature system WENANCE provides a consumer credit contract. It apparently contains the data of the complainant. According to the data appearing in the certificate issued by "the telecommunications operator LLEIDANETWORKS Serveis Telemàtics S.A. as a trusted service provider, the following steps were followed to conclude the contract electronically: (…). There is an appearance of a validly executed contract. However, as stated in the report of preliminary investigation actions, analyzing the evidence provided together with the previous data, it is perceived that: - The data where the email with the documentation and the SMS with the contract signature code are sent are: ***EMAIL.1 and ***PHONE.1. - This phone number coincides with the phone number that appears in the complaint filed with the police by the complainant, the phone number with which she allegedly contacted to send the photos and request the credit. - However, these contact details do not coincide with those that the complainant herself provided to BANCO SANTANDER (remember that she herself was also a client of said bank). Nor with the complainant's phone number that is included in the complaint. In any case, the conclusion of the contract by electronic means only presupposes that the alleged impersonator would have obtained and provided said contact details (e- mail and telephone number for confirmation of the contract), and it is necessary that, either at the time of requesting the contract or at the time of remittance of the amount C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/28 granted, the respondent party ensured that the applicant for the credit coincided with the holder of the destination bank account. - Ensuring the ownership of the destination account According to the allegations of the respondent party, it had a double mechanism to ensure that the amount of the credit requested was received in a bank account owned by the person who actually requested it. These mechanisms were the following: - Making a prior deposit, so that said ownership is confirmed. - The need for the bank account in which the amount is deposited to be at least three months old. Both are indeed basic precautions. Through the first, the confirmation of the ownership of the account is received, so that the remittance of the requested amount to someone who is not the true owner is avoided. And through the second, cases are avoided in which the impersonation of the ownership has been carried out in the bank account itself, so that until three months have passed since the opening, a credit cannot be received in it. This last aspect is especially important, since, as detailed in the factual narration, the credit was requested on the same day that the claimant had sent her data to a third party, presumably with fraudulent intentions in the latter's actions. Well, both precautions were negligently ignored by the complainant. In relation to the sending of a prior deposit to determine the ownership of the current account, (through its payment service provider), WENANCE has stated, in its response to the inspection, that “After successive checks by WENANCE, it has been verified that, on the date of the contracting of the loan by Ms. A.A.A., the verification service was not carried out by UNNAX REGULATORY SERVICES, E.D.E, S.L. (UNNAX), but manually, as indicated in points 3 to 5”. Thus, this verification was not carried out. And what is more important: from the investigation carried out by this Agency, there is evidence that the destination current account was not owned by the complainant but by a third party. In deed, according to the information provided by Banco Santander to the inspection: ´ “1.- The holder of the bank account ***ACCOUNT.1 corresponds to the client B.B.B., DNI ***NIF.2, as the only participant/holder with registration date 08/20/2020 and cancellation date 01/15/2021. Provide a screenshot of the contracts of the client B.B.B. along with their registration and cancellation dates. 2.- Provide the following details of the client B.B.B. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/28 - Email: ***EMAIL.2 - Telephone: ***TELEPHONE.1 - Address: ***ADDRESS.2 - Client since XXXXXXXX” The absence of controls, therefore, allowed the amount of the credit to be transferred to a person other than the one who claimed to have contracted. In this respect, it is hardly necessary to refute the insufficiency of the transfer certificate issued at the request of WENANCE by BANCO SANTANDER. In effect, the only thing that would prove is that the transfer request was made in favor of the claimant, and to the current account number ***ACCOUNT.1. That is, as the inspector's report rightly points out: “The payment services regulations also do not establish the obligation of the entities to check that the name of the beneficiary corresponds to that of the holder of the account number of the transfer destination or other additional data, beyond the coincidence of the beneficiary's IBAN with that indicated in the payment order. Therefore, the certificate provided by WELP does not allow the ownership of the bank account to be accredited.” As regards the second mechanism, that is, the necessary 3-month seniority in the bank account for the destination of the loan amount, the relevant dates are the following: - Contracting of the credit: 08/21/2020 (confirmed by the respondent party itself) - Deposit of the loan amount (€200) in the bank account: 08/21/2020 (confirmed by the transfer certificate issued by Banco Santander) - Opening date of the destination account no. ***ACCOUNT.1.: 08/20/2020 (confirmed by Banco Santander certificate) This confirms that the bank account was opened only one day before the contracting of the credit and the remittance to it of the contracted amount. The measure that the respondent party itself claims to have implemented was not fulfilled. It is important to highlight the necessary compliance with security measures such as those detailed (but not complied with) by the complainant. Indeed, by checking the ownership of the current account, the amount would have been avoided from being sent to a person other than the one who had apparently requested the credit. And by checking the age of the account, this situation would have also been avoided even if the impersonator had (using the documentation previously obtained) been able to open a current account in the name of the complainant, since it would have been necessary to wait the three-month period. Given the lack of measures that there is evidence of occurred in the operations of the defendant, the result was not only the processing of data without any legitimacy on the part of the data controller, but also the result of the non-payment by C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/28 the impersonator has led to the claim for liability of the complainant itself, in whose name the improperly contracted credit appears. This is apart from the possible inclusion in data processing on financial solvency. For all these reasons, it is considered that WENANCE processed the personal data of the complainant without legitimacy, since a consumer credit was contracted in its name without it having given its response, or requested the contract, or any other basis for legitimacy of article 6.1 of the GDPR. V Classification and qualification of the infringement According to the evidence in the file, it is considered to be proven that the processing of the complainant's personal data carried out by WENANCE, which signed a consumer credit contract in her name, was not covered by any of the legal bases established in article 6.1 of the RGPD. Therefore, the known facts constitute an infringement of article 6.1 of the RGPD, classified in article 83.5.a) of the RGPD, a provision that provides: “5. Infringements of the following provisions shall be punished, in accordance with section 2, with administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, whichever is higher: a) The basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9.” In order to determine the limitation period for infringements, the provisions of the LOPDGDD shall apply, which classifies the infringement charged to the defendant as very serious and sets a limitation period of three years for it. Article 72.1.a) of the LOPDGDD provides: “1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations: [...] b) The processing of personal data without any of the conditions for the lawfulness of processing established in Article 6 of Regulation (EU) 2016/679 being met.” VI Proposed sanction The corrective powers attributed to this Agency as a supervisory authority are listed in Article 58.2 of the GDPR, paragraphs a) to j). The provision mentions among them the power to impose an administrative fine in accordance with Article 83 of the GDPR (Article 58.2. i). Also, the power to order the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/28 data controller to comply with the provisions of the GDPR, where appropriate, in a certain manner and within a specified period (Article 58.2. d). In the present case, WENANCE is subject to an administrative fine in accordance with Article 58.2.i) of the GDPR for its infringement of Article 6.1 of the GDPR. Article 83 of the GDPR, “General conditions for the imposition of administrative fines”, states in its section 1 that the supervisory authority shall ensure that the imposition of fines for infringements of this Regulation indicated in sections 4, 5 and 6, complies in each individual case with the principles of effectiveness, proportionality and deterrent effect. The principle of proportionality requires a correlation between the infringement and the sanction, with the prohibition of unnecessary or excessive measures, so that it must be suitable to achieve the purposes that justify it. Article 83.2 of the GDPR determines the technique to be followed to achieve this adequacy between the sanction and the infringement committed and offers a list of criteria or factors that must be taken into account to grade the sanction. In relation to the facts established, the following factors are observed, which reflect a greater unlawfulness of the conduct and/or the culpability of the offending entity: - Circumstance of article 83.2.a) GDPR: a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages they have suffered; The particular seriousness of the infringing conduct must be made clear. Indeed, the negligence that occurs in this case has produced a special impact on the legal sphere and the life of the claimant, since she has been forced to take actions such as the necessary filing of two complaints with the security forces and bodies; the exercise of the right of deletion before the respondent, and to endure recovery actions for a debt of which she was not the true owner. All of this is caused by the unlawful processing carried out by the respondent party - Circumstance of article 83.2.k) RGPD: In relation to article 76.2.b) LOPDGDD: The obvious link between the business activity of the respondent and the processing of personal data. WENANCE's corporate purpose is, among others, the provision of financial services to the public. The execution of the contracts that you enter into with consumers in the development of this activity requires you to process numerous personal data of your clients or even third parties, from identifying data - such as name, surname and NIF -, bank details for direct debit of collections or payments and the postal address. This characteristic of your activity requires you to take extreme diligence in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/28 compliance with the obligations imposed by the personal data protection regulations. The concurrence of mitigating circumstances is not appreciated. In accordance with the criteria of articles 83.1. and 83.2 of the GDPR, the infringement of article 6.1 of the GDPR attributed to WENANCE is sanctioned with the imposition of an administrative fine of €70,000 (SEVENTY THOUSAND euros) VII Exercise of the right to deletion Along with the claim, a burofax addressed to WENANCE was attached, dated 12 August 2022, in which it communicates that it does not recognize the debt, nor that it has contracted any credit with the defendant party; it also requires it to stop processing its data in the future. WENANCE acknowledges having received it, indicating that the deletion could not be accepted because the execution of the contract was in force, in its opinion. As stated in the report on preliminary investigations, having requested a copy of the contacts maintained with the complainant in relation to the reported events, WELP does not indicate any response to the burofax submitted by the complainant dated August 12, 2022. In this regard, article 17 of the GDPR establishes the following: “1. The interested party shall have the right to obtain from the controller without undue delay the deletion of personal data concerning him or her, who shall be obliged to delete personal data without undue delay when any of the following circumstances apply: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based in accordance with point (a) of Article 6(1) or point (a) of Article 9(2) and there is no other legal basis for the processing; (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/28 f) the personal data have been obtained in relation to the offer of information society services referred to in Article 8, paragraph 1.” In relation to the exercise of this right, paragraphs 2 and 3 of Article 12 of the RGPD establish the following: “2. The controller shall facilitate the exercise by the interested party of his or her rights under Articles 15 to 22. In the cases referred to in Article 11, paragraph 2, the controller shall not refuse to act at the request of the interested party in order to exercise his or her rights under Articles 15 to 22, unless he or she can demonstrate that he or she is not in a position to identify the interested party. 3. The controller shall provide the data subject with information concerning its actions on the basis of a request pursuant to Articles 15 to 22 without undue delay and in any event within one month of receipt of the request. That period may be extended by a further two months if necessary, taking into account the complexity and number of requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, stating the reasons for the delay. Where the data subject submits the request by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests that it be provided otherwise.” According to the documentation in the file, it has been established that the respondent party has breached Article 12 of the Regulation since, regardless of the underlying reasons alleged by it in relation to the appropriateness of exercising the right to erasure, it should have responded to the complainant party within one month in relation to the request to exercise the right to erasure. VIII Right to erasure. Classification of the infringement According to the evidence available in this file, it is proven that the complaining party did not respond to the exercise of the right to erasure in accordance with the provisions of Article 12 of the GDPR Therefore, the known facts could constitute an infringement of Article 12 of the GDPR, as defined in Article 83.5.a) of the GDPR, which provides: “5. Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global turnover of the previous financial year, whichever is higher: b) the rights of interested parties pursuant to Articles 12 to 22; In order to determine the limitation period for infringements, the provisions of the LOPDGDD will apply, which classifies the infringement charged to the respondent as very serious and fixed C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/28 for it a limitation period of three years. Article 72.1 of the LOPDGDD provides: “1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations: [...] k) The repeated impediment or obstruction or failure to comply with the exercise of the rights established in Articles 15 to 22 of Regulation (EU) 2016/679. IX Proposed sanction The corrective powers attributed to this Agency as a supervisory authority are listed in Article 58.2 of the GDPR, paragraphs a) to j). The provision mentions among them the power to impose an administrative fine in accordance with Article 83 of the GDPR (Article 58.2. i). Also, the power to order the controller to comply with the provisions of the GDPR, where appropriate, in a certain manner and within a specified period (Article 58.2. d). In the present case, WENANCE is subject to an administrative fine for the infringement of Article 12 of the GDPR pursuant to Article 58.2.i) of the GDPR. Article 83 of the GDPR, “General conditions for the imposition of administrative fines”, states in its section 1 that the supervisory authority shall ensure that the imposition of fines for infringements of this Regulation indicated in paragraphs 4, 5 and 6 comply in each individual case with the principles of effectiveness, proportionality and deterrence. The principle of proportionality requires a correlation between the infringement and the sanction, with the prohibition of unnecessary or excessive measures, so that it must be suitable to achieve the purposes that justify it. Article 83.2. of the GDPR determines the technique to be followed to achieve this adequacy between the sanction and the infringement committed and offers a list of criteria or factors that must be taken into account to grade the sanction. In accordance with the criteria of articles 83.1. and 83.2 of the GDPR, the infringement of Article 12 of the GDPR attributed to WENANCE is sanctioned with the imposition of an administrative fine of €2,000 (two thousand euros) X Adoption of measures Once the infringements have been established, it is agreed to impose on the controller the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/28 each supervisory authority may “order the controller or processor to comply processing operations with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period…”. It is considered that the respondent party must be ordered to proceed to respond to the request for the right of deletion exercised by the complaining party, within one month from the administrative finality of this resolution. It is noted that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution may be considered as an administrative infringement in accordance with the provisions of the GDPR, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the above, the Director of the Spanish Data Protection Agency, RESOLVES: FIRST: TO IMPOSE on WENANCE LENDING DE ESPAÑA, S.A., with NIF A67194746, for an infringement of Article 6.1 of the GDPR and an infringement of Article 12 of the GDPR, both classified in Article 83.5 of the GDPR, - a fine of SEVENTY THOUSAND EUROS (€70,000) for the infringement of Article 6.1 of the GDPR - a fine of TWO THOUSAND EUROS (€2,000) for the infringement of Article 12 of the GDPR SECOND: TO ORDER WENANCE LENDING DE ESPAÑA, S.A., with NIF A67194746, that by virtue of Article 58.2.d) of the GDPR, within ONE MONTH, proves that it has responded to the request for the right of deletion exercised by the complaining party. THIRD: NOTIFY this resolution to WENANCE LENDING DE ESPAÑA, S.A.. with NIF A67194746 FOURTH: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration ends (one month from the day following the notification of this resolution) without the interested party having made use of this faculty. The sanctioned party is warned that he must make effective the sanction imposed once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by means of its payment, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account number IBAN: ESXX XXXX XXXX XXXX XXXX XXXX (BIC/SWIFT Code: XXXXXXXXXXX), opened in the name of the Spanish Data Protection Agency at C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/28 the banking entity CAIXABANK, S.A.. Otherwise, it will be collected during the enforcement period. Once the notification has been received and is enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following notification of this resolution or directly file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the interested party expresses his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this fact by means of a written document addressed to the Spanish Data Protection Agency, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through one of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following the notification of this resolution, it will terminate the provisional suspension. 938-250923 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es
