AEPD (Spain) - EXP202307696: Difference between revisions
m (→Facts) |
mNo edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 67: | Line 67: | ||
}} | }} | ||
The DPA fined Santander €50,000 for processing a data subject’s personal data for advertisement purposes even after the data subject objected to the respective processing. | |||
== English Summary == | == English Summary == | ||
Line 76: | Line 76: | ||
The data subject had sent a letter to the controller on the 27 February 2023, requesting that his personal data exclusively be used to manage his credit card. | The data subject had sent a letter to the controller on the 27 February 2023, requesting that his personal data exclusively be used to manage his credit card. | ||
On the 7 March 2023, the controller responded to the data subject confirming the receipt of the request stating that in accordance with Article 21 and 18 GDPR, the controller has | On the 7 March 2023, the controller responded to the data subject confirming the receipt of the request stating that in accordance with Article 21 and 18 GDPR, the controller has begun to give effect to the request. However, on the 23 April 2023, the data subject received advertising related to the granting of a loan contrary to his request. | ||
Following the data subject’s complaint, the AEPD requested information from the controller. | Following the data subject’s complaint, the AEPD requested information from the controller. | ||
Line 82: | Line 82: | ||
On the 6 July 2023, the controller confirmed that the data subject had received another advertisement in the post after having objected to this form of processing of his personal data. | On the 6 July 2023, the controller confirmed that the data subject had received another advertisement in the post after having objected to this form of processing of his personal data. | ||
The controller argued that | The controller argued that a human error of an employee caused the violation. The employee responsible for manually unticking the boxes relevant to the processing had failed to untick three boxes which is why the advertisement reached the data subject. It argued that the mistake had then been corrected on the 9 June 2023 and that therefore the violation had been remedied. | ||
Further, the controller argued that a processor was responsible for the | Further, the controller argued that a processor was responsible for the violation and therefore requested the dismissal of the proceedings. | ||
=== Holding === | === Holding === | ||
'''<u>Controller responsibility</u>''' | '''<u>Controller responsibility</u>''' | ||
With reference to [[Article 8 GDPR|Article 8 GDPR]], the AEPD points out that the processor carries out their function on the instructions of the controller and that therefore violations of the GDPR are attributable to the controller. As Articles 5(2), 24, 28 and 32 GDPR set out, compliance monitoring of the processing is attributable to the controller regardless of the involvement of a processor. The AEPD established that the processor was acting on the instructions of the controller in sending the advertisements. | With reference to [[Article 8 GDPR|Article 8 GDPR]], the AEPD points out that the processor carries out their function on the instructions of the controller and that therefore violations of the GDPR are attributable to the controller. As [[Article 5 GDPR|Articles 5(2)]], [[Article 24 GDPR|24]], [[Article 28 GDPR|28]] and [[Article 32 GDPR|32 GDPR]] set out, compliance monitoring of the processing is attributable to the controller regardless of the involvement of a processor. The AEPD established that the processor was acting on the instructions of the controller in sending the advertisements. | ||
'''<u>Gravity of the | '''<u>Gravity of the violation and setting the fine</u>''' | ||
The AEPD held that the controller did not adopt the required diligence as it did not prevent the processing after the request had been made. | The AEPD held that the controller did not adopt the required diligence as it did not prevent the processing after the request had been made. |
Latest revision as of 12:09, 16 October 2024
AEPD - EXP202307696 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(2) GDPR Article 6(1) GDPR Article 8 GDPR Article 21 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 26.04.2024 |
Decided: | 22.08.2024 |
Published: | 11.10.2024 |
Fine: | 50,000 EUR |
Parties: | Santander Consumer Finance S.A. |
National Case Number/Name: | EXP202307696 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | ao |
The DPA fined Santander €50,000 for processing a data subject’s personal data for advertisement purposes even after the data subject objected to the respective processing.
English Summary
Facts
On the 26 April 2023, the data subject filed a complaint with the AEPD for receiving postal advertising material despite having exercised their right to object to this.
The data subject had sent a letter to the controller on the 27 February 2023, requesting that his personal data exclusively be used to manage his credit card.
On the 7 March 2023, the controller responded to the data subject confirming the receipt of the request stating that in accordance with Article 21 and 18 GDPR, the controller has begun to give effect to the request. However, on the 23 April 2023, the data subject received advertising related to the granting of a loan contrary to his request.
Following the data subject’s complaint, the AEPD requested information from the controller.
On the 6 July 2023, the controller confirmed that the data subject had received another advertisement in the post after having objected to this form of processing of his personal data.
The controller argued that a human error of an employee caused the violation. The employee responsible for manually unticking the boxes relevant to the processing had failed to untick three boxes which is why the advertisement reached the data subject. It argued that the mistake had then been corrected on the 9 June 2023 and that therefore the violation had been remedied.
Further, the controller argued that a processor was responsible for the violation and therefore requested the dismissal of the proceedings.
Holding
Controller responsibility
With reference to Article 8 GDPR, the AEPD points out that the processor carries out their function on the instructions of the controller and that therefore violations of the GDPR are attributable to the controller. As Articles 5(2), 24, 28 and 32 GDPR set out, compliance monitoring of the processing is attributable to the controller regardless of the involvement of a processor. The AEPD established that the processor was acting on the instructions of the controller in sending the advertisements.
Gravity of the violation and setting the fine
The AEPD held that the controller did not adopt the required diligence as it did not prevent the processing after the request had been made.
Therefore, on the 12 April 2024, the controller was fined €50,000 under Article 83(5)(a) GDPR for violating Article 6(1) GDPR. In setting the fine, the AEPD purported that the violation of Article 6(1) GDPR is of sufficient gravity to warrant the fine of €50,000 in light of the controller’s annual turnover.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1 / 19 File No.: EXP202317578 (PS/00546/2023) RESOLUTION OF THE SANCTIONING PROCEDURE From the actions carried out by the Spanish Data Protection Agency and based on the following: BACKGROUND FIRST: On 09/26/23, A.A.A., (hereinafter, the complaining party)...