AEPD (Spain) - PS/00240/2019: Difference between revisions

From GDPRhub
 
(24 intermediate revisions by 2 users not shown)
Line 57: Line 57:
}}
}}


The Spanish DPA fined Equifax, a credit ranking agency, €1,000,000 for failing to comply with the data minimization principle, by also failing to comply with the lawfulness, fairness and transparency principle, the purpose limitation principle, the accuracy principle, and with Article 14 GDPR. The authority ordered Equifax to stop the processing and delete the related databases.  
The Spanish DPA fined Equifax, a credit ranking agency, €1,000,000 for failing to comply with Article 5(1)(a), 5(1)(b), 5(1)(c), 5(1)(d) and with Article 14 GDPR. The authority ordered Equifax to stop the processing and to delete the related database.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
96 data subjects lodged a complaint against Equifax regarding its File on Judicial Complaints and Public Bodies (FIJ). Their data had been included in such file without consent after being scrapped from the Spanish Official State Gazette, and different releases and debtors lists from other public bodies, such as the General Tax Administration and city councils' gazettes.  
96 data subjects lodged a complaint with the Spanish DPA (AEPD) against Equifax regarding its File on Judicial Complaints and Public Bodies (FIJ). Their data had been included in such file without consent after being scrapped from the Spanish Official State Gazette, and different releases and debtors lists from other public bodies, such as the General Tax Administration and city councils' gazettes.  


=== Dispute ===
Some of this information was inaccurate or was not even related to the claimants. Additionally, the controller refused to delete the data when some data subjects made an erasure request, while sometimes asking for them to justify the request, or to prove their identity with a copy of their ID card.
in progress
 
Equifax denied the erasure requests of the complainant using a template for the letter they sent in response to the data subjects that included the following statements:
 
* The data has been collected from publicly accessible sources.
* The data will be erased when the data subject has payed the amounts due and sends proper justification about it.
* The data will be stored for 6 years.
 
In another different letter, they added that Equifax relied on the legitimate interest of the entities that use their services, that need to have information about the debts and monetary claims regarding their clients or persons with which they intend to engage in bushiness operations for business certainty purposes, to prevent late payments and to evaluate their reliability.
 
They also pointed that such data was accessible via entities from the financial, insurance, telecommunications, energy supply, deferred or recurrent payment services sectors that may engage in a contract with or assess an application from the data subjects.
 
The controller alleged:
 
# They did not have a proper opportunity to defend themselves, as the deadline for allegations was too short.
# Some of the erasure requests had already been properly responded to.
# Some of the claims regarding rights requests had not been exercised before the controller previously to the claim.
# According to the [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN former Data Protection Directive], to the [https://www.boe.es/buscar/pdf/1999/BOE-A-1999-23750-consolidado.pdf former Spanish Data Protection Act] (in its Article 29), to the CJEU ([https://curia.europa.eu/juris/document/document.jsf?text=&docid=115205&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=6332885 C-468/10 y C-469/10, Asnef, Fecemed]), and to the [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf Article 29 WP], controllers providing services for financial solvency and creditworthiness on legitimate interest. They also cited AEPD resolutions that decided in the same sense.
# Post-GDPR, they accuse the AEPD of changing their previous criterion, while knowing that these behaviour is common and generally permitted (the AEPD was processing recommendations on this matter at the time of the proceeding).
# They consider that the initial sanction proposal was disproportionate, what would expel them from the market, benefiting other companies that carry out the same practices. They also alleged that, according to criminal law principles, there should be a concurrence of violations, and that they should not be individually fined for all of them.
# A [https://www.boe.es/diario_boe/txt.php?id=BOE-A-2007-19814 Spanish act] allows for the re-utilization of information from the public sector.
# The legal concept of "publicly accessible sources" implies the potential knowledge and access by any person.
# They rely on the legitimate interest, according to the the [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf Article 29 WP], that requires a link between the interest and the purpose of the processing, a necessity assessment and a favourable balancing test. Also, they allege that the data subject has a reasonable expectation for their data to be processed in such a way.
# Regarding the accuracy principle, they argue that accuracy of data released by public bodies must be presumed to be accurate. In addition, the [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Spanish Data Protection Act] (Article 4(2)) states that the obligation of ensuring accuracy is not attributable to the controller when data are collected from public sources if the controller ensures that they are rectified in due time when requested.
 
The Spanish DPA found that the data of 282.037 persons had been included in the files since the entry into force of the GDPR. It also found that, despite Equifax alleging the contrary, there was no proof of notification to the data subjects in accordance to Article 14.


=== Holding ===
=== Holding ===
in progress
 
===== On formal defects =====
The AEPD dismissed Equifax's arguments regarding the lack of possibility of defence, alleging that they had followed the procedure established by law.
 
===== On the change of criterion =====
Additionally, the authority found that the processing had also taken place after the entry into force of the GDPR, therefore making it irrelevant for these purposes that part of it started while the Directive was still in force.
 
Regarding the change of criterion, the AEPD argued that, logically, they were entitled to change their criterion, specially when a new regulation had been passed. In this regard, the AEPD noted that the GDPR did not mention publicly accessible sources anymore for this matter, and that such Regulation repelled the former Spanish Data Protection Act, that allowed the processing for financial solvency and creditworthiness purposes when obtained from public sources, thus changing the legal framework existing until the moment for this type of processing.
 
===== On the purpose limitation principle =====
On the purpose limitation principle, the AEPD argues that when data is processed with basis on a legitimate interest, according to Article 6(4) GDPR it must be assessed if the purpose is compatible with the purpose for which the personal data are initially collected. In this case, the reason why the data were initially collected has no connection or similar context to the purpose that Equifax alleges for processing the data. The data were initially collected and published by public institutions for notification purposes, with basis on a national law that pursues a public interest, namely the right to effective legal protection, enclosed in Article 24 of the [https://www.boe.es/buscar/act.php?id=BOE-A-1978-31229 Spanish Constitution].
 
Therefore, the starting point for the analysis is the origin of the data, and the purposes why such data was collected and later published. There is, in view of the AEPD, no connection between one purpose (a public notification, that constitutes a guarantee to preserve a fundamental right of the data subject, and that therefore overrides their right to data protection) and Equifax's purpose (providing potential harmful or negative information about the data subjects to different businesses). There is no similarity between the context of both processing activities, and between the possible consequences of the processing, and there are no additional safeguards to prevent any risks in the processing. Additionally, the AEPD argues that there could not have been any reasonable expectation of the data subjects for their data to be processed in such a way, given the context.
 
According to the AEPD, it was responsibility of the controller to assess whether the purposes were compatible and to comply with the regulation, as stated in Article 5(2) GDPR. And, they add, Equifax was aware that their purpose was not compatible with the initial purpose, as can be inferred by the allegations made during the investigation, when they allege that they are entitled to carry out subsequent processing for statistical and scientific purposes.
 
The AEPD also notes that their allegation regarding the [https://www.boe.es/diario_boe/txt.php?id=BOE-A-2007-19814 Spanish act for the re-utilization of information from the public sector] explicitly states (in its Article 4) that when personal data are involved, the data protection regulations will apply. This was also clarified by the State Agency of the Official State Gazette, that stated that re-utilization of their data was not lawful when pursuing economic profit. In fact, they say, such information is only available for 3 months.
 
Although the controller alleges, referring again to the change of criterion, that the mentioned text related to the purposes had not changed, the AEPD found that Equifax is intentionally mis-interpreting the content of the norm, interpreting the phrasing of "purpose for which the personal data are initially collected" as the purpose for which Equifax collected the data from the public sources, not as the initial collection of data by the administration in a first place, that is what the regulation refers to.
 
Therefore, the AEPD concluded that Equifax had violated the purpose limitation principle enclosed in Article 5(1)(b) GDPR.
 
===== On the lawfulness of processing =====
On this matter, the AEPD argued that, according to Article 5(1)(a) GDPR, Recital 39 and Article 6(1)(f), an interest can only be legitimate if it is lawful in the first place. However, as explained in the previous section (and following sections), the processing carried out by Equifax was not lawful, and therefore their interest can never be legitimate. 
 
However, the AEPD decided to anyhow carry out an analysis on the legitimate interest brought forward by Equifax. The legitimate interest alleged by Equifax had a double interest: 
 
* an interest (from the controller and the third parties to be recipients of the data) linked to the assessment of the financial solvency of the data subjects,
* an interest linked to fraud prevention.
To assess whether Equifax could rely on a legitimate interest for the processing, the authority suggests an analysis based on the [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf Article 29 WP guidelines on legitimate interest]. 
 
The AEPD concludes, firstly, that the processing is not strictly necessary to achieve the purpose alleged. They argue that such purpose can be achieved by other means, and that the terms "convenience" and "necessity" shall not be mistaken. Nor was the processing adequate, given that the data collected were not updated, inaccurate, and did only represent a little part of the population. And nor was there a balance between the interests of the controller and the negative consequences posed to the data subjects, that additionally could in any way have a reasonable expectation for such processing to happen. 
 
Therefore, the AEPD concludes, the fundamental right to data protection would override the legitimate interests of the controller (and third parties). The convenience of the actors that represent any economic sector is not proportional to the violation that such processing would incur in. 
 
With regards to Article 29 from the [https://www.boe.es/buscar/pdf/1999/BOE-A-1999-23750-consolidado.pdf former Spanish Data Protection Act], that allowed credit reporting agencies to use public data, the AEPD alleges that such law was repelled when the GDPR came into force. Even if the current [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Data Protection Act] has an Article allowing such systems, the norm does not mention public sources anymore, but refers to a scenario in which the creditor communicates the debts to the credit reporting company. These last systems are substantially different from the ones that collect data from public sources, as they deal with accurate information, the data is directly obtained from the creditor (therefore not violating the limitation purpose principle) and use adequate safeguards to ensure compliance with GDPR.
 
The AEPD also accuses the controller of not being able to demonstrate the alleges compliance, as they considered unnecessary, when the GDPR and the new Data Protection Act entered into force, to carry out a legitimate interest assessment.
 
Therefore, without being able to rely on legitimate interest, the controller processed data without a legal basis, infringing Article 6(1) GDPR, in relation with the lawfulness principle established by Article 5(1)(a) GDPR.
 
===== On the accuracy principle =====
Article 5(1)(d) GDPR establishes that personal data shall be accurate and, where necessary, kept up to date. In addition to this, Recital 39 obliges the controller to undertake any reasonably necessary action to ensure this. Therefore, the AEPD says, a controller shall not process data if it is not able to ensure the accuracy of the data, and that they are kept up to date.
 
Additionally, the AEPD argues that, if the purposes for which the data was collected are different, it is also possible that the level of accuracy required is different too. In this case, they reason, the level of accuracy necessary to notify a data subject of a debt is not the same as the level of accuracy necessary to assess the financial reliability of a person.
 
Also, the purpose of a notification is to inform a person of a situation that exists in a particular moment. It is highly probable that such situation will change in the future, for example because the person fulfills their obligation and cancels the debt. The nature of the files created by the collection of data by the controller is completely different: they intend to asses the financial situation of the data subjects in a moment that is different from the moment of the notification. Therefore, it is impossible for the controller to keep the data up to date, as once the precise moment of the notification passes, the data may not already be updated. However, the AEPD found in the database data collected in 2013.
 
Also, the AEPD says, not all the data collected can be attributed to a person without doubt, given that two persons can have the same name, and ID numbers are not always published, or published only partially. The address, that is also used to distinguish persons, is not always available either.
 
In this regard, the AEPD remarks that, without properly being able to identify the subjects to which the data belong, it is unlikely that the controller can adequately achieve the interests that they allege.
 
The importance of these circumstances is confirmed by the fact that some of the complainants had suffered from lack of accuracy, either because they were not the debtors or either because they had already pay such debt, for instance.
 
Hence, the AEPD found a violation of Article 5(1)(d) GDPR.
 
===== On the data minimization principle =====
Regarding the data minimization principle, the AEPD remarks that processed personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The GDPR requires that the categories of data that are used should be adequate to achieve the purposes of the processing. Additionally, data should be adequate and relevant, meaning that if they constitute an inference on rights and fundamental freedoms, they will be considered excessive.
 
Here, the AEPD emphasizes the impossibility of complying with the rest of the principles when violating the purpose limitation principle, as the ones are conditioned by the other.
 
The fact that the purpose of the initial collection differs from the subsequent processing by Equifax means that the data are not accurate anymore, and therefore they are not adequate for the purposes that the processing seeks. This is also related to the fact that the purpose of the initial collection differs from the subsequent processing, so the reason why certain data and categories of data were disclosed in the first place do not match the purpose and interests that Equifax has.
 
When referring to public notifications, the purpose of the processing is to be able to notify the debtor. For this, only certain categories of data are required. In fact, following the GDPR principles, the Spanish law imposes a minimization of the data that are to be published in order to notify. As of 2019, the address shall not be published, and names and surnames can never be published together with the ID number, that can only include four random chosen numbers.
 
Therefore, for the purposes of Equifax, this data was not adequate, what led to a violation of Article 5(1)(c).
 
This, apart from leading to inaccuracy when Equifax collects the data, leads to the impossibility of the controller to notify the data subjects in accordance with Article 14 GDPR, and also spotlights why infringing Article Article 5(1)(b) leads to the violation of other Articles and principles.
 
===== On the obligation to inform the data subjects =====
With the entry into force of the GDPR, the controller entered into an obligation to provide certain information to the data subjects when their data is processed. However, it is obvious, the AEPD, that Equifax did not notify all the data subjects which data were processing. While the database contained data of more than 4 million persons, the controller had only notify around 340,000 data subjects.
 
As previously stated, given that the addresses of the notified persons were not published anymore, the controller was not able to access them and therefore could not notify the data subjects. The AEPD remarks that even the data that were collected before the GDPR entered into forced were also subject to this obligation, given the fact that the data are still being processed.
 
Therefore, the AEPD found a violation of Article 14 GDPR.
 
===== Proportionality and concurrence of violations =====
The controller considered that the initial sanction proposal was disproportionate, since it would have expelled them from the market, benefiting other companies that carry out the same practices. The AEPD disregarded this argument, given that the controller was basing their business activities, on this matter, in the illegal collection of personal data. This was not an occasional behaviour, they alleged, but the core of such activity. 
 
Therefore, the AEPD concluded that the imposed sanctions (namely, the fine, the stop of the processing and the order to erase the data) were appropriate and proportional.
 
The controller also alleged that, according to criminal law principles, that shall also be applied to administrative sanction proceedings, there should be a concurrence of violations, and that they should not be individually fined for all of them.
 
In this regard, the controller pleaded that there exists a concurrence of violations, and that they should not be individually fined for all of them. The "concurso medial" figure (that may be translated as "instrumental concurrence") from Spanish criminal law implies that, when an offence is instrumental to another offence (i.e., one offence is committed to be able to commit the second one), the perpetrator will be guilty of both offences but sentenced to the sanction established for the main offence, on its highest level.
 
This is enclosed in the Spanish administrative legislation in Article 29(5) of the Spanish Act on the legal regime of the Public Sector, that states that when an offence is derived from the perpetration of other offences, only the sanction for the more serious offence will be imposed.
 
In such a sense, the authority concluded that the main, initial, and more relevant violation was the violation of the purpose limitation principle, from which the other violations derive. Therefore, given that Article 6(1), Article 5(1)(a), Article 5(1)(d), Article 5(1)(c), and Article 14 GDPR were infringed in connection to Article 5(1)(b), the AEPD considers that they can only sanction the controller for the main violation.
 
===== Sanction =====
In order to define the amount of the fine, the AEPD took into account the fact that the violation did not come from an isolated infringement or the result of a one-off irregularity. The AEPD remarked that the behaviour is a ''modus operandi'' articulated perfectly outside the law which, that takes advantage of official publications containing personal data, and that seeks to obtain an economic benefit by providing a service to third parties related to information on the solvency of the affected data subjects. The scope of this processing operation transcends the affected claimants and extends to all natural persons whose data have been included in official publications in the past or may be included in the future.
 
It is therefore a structural case of non-compliance with the GDPR and the legislation guaranteeing the fundamental right to data protection derived from Article 18(4) of the Spanish Constitution. Additionally, the personal data of the data subjects may be communicated to third parties, even if its processing clearly violates the GDPR. The extent of the damage that may result from this processing is unpredictable.
 
The AEPD's initial sanction proposal included higher fines. 
 
* Violation of Article 6(1), in relation with Article 5(1)(a): €3,000,000 fine + prohibition of processing + erasure of the data
* Violation of Article 5(1)(d): €3,000,000 fine + prohibition of processing + erasure of the data
* Violation of Article 5(1)(b): €1,000,000 fine + prohibition of processing + erasure of the data
* Violation of Article 5(1)(c): €1,000,000 fine
* Violation of Article 14: €1,000,000 fine
 
The AEPD finally reduced both €3,000,000 fines to €1,000,000 fines, and applied the figure of concurrence of offences, which led to an only sanction for the main violation of Article 5(1)(b).
 
Therefore, the Spanish DPA fined Equifax €1,000,000 for the violation of Article 5(1)(b), in relation with the violations of Article 6(1), Article 5(1)(a), Article 5(1)(d), Article 5(1)(c), and Article 14 GDPR.
 
The DPA also ordered Equifax to stop the processing and to delete all the personal data in their File on Judicial Complaints and Public Bodies, obtained through public sources, that were being subject to such processing, with grounds on Article 58(2)(f) and Article 58(2)(g), respectively.


== Comment ==
== Comment ==
''Share your comments here!''
The decision, being 184 pages long, includes many details that are not conveyed in this summary because they are not relevant for the outcome of the case and the interpretation of the GDPR.


== Further Resources ==
== Further Resources ==

Latest revision as of 14:21, 13 December 2023

AEPD - PS/00240/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 14 GDPR
Article 5(1)(c) GDPR
Article 5(1)(d) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 26.04.2021
Fine: 1000000 EUR
Parties: EQUIFAX IBÉRICA, S.L.
National Case Number/Name: PS/00240/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA fined Equifax, a credit ranking agency, €1,000,000 for failing to comply with Article 5(1)(a), 5(1)(b), 5(1)(c), 5(1)(d) and with Article 14 GDPR. The authority ordered Equifax to stop the processing and to delete the related database.

English Summary

Facts

96 data subjects lodged a complaint with the Spanish DPA (AEPD) against Equifax regarding its File on Judicial Complaints and Public Bodies (FIJ). Their data had been included in such file without consent after being scrapped from the Spanish Official State Gazette, and different releases and debtors lists from other public bodies, such as the General Tax Administration and city councils' gazettes.

Some of this information was inaccurate or was not even related to the claimants. Additionally, the controller refused to delete the data when some data subjects made an erasure request, while sometimes asking for them to justify the request, or to prove their identity with a copy of their ID card.

Equifax denied the erasure requests of the complainant using a template for the letter they sent in response to the data subjects that included the following statements:

  • The data has been collected from publicly accessible sources.
  • The data will be erased when the data subject has payed the amounts due and sends proper justification about it.
  • The data will be stored for 6 years.

In another different letter, they added that Equifax relied on the legitimate interest of the entities that use their services, that need to have information about the debts and monetary claims regarding their clients or persons with which they intend to engage in bushiness operations for business certainty purposes, to prevent late payments and to evaluate their reliability.

They also pointed that such data was accessible via entities from the financial, insurance, telecommunications, energy supply, deferred or recurrent payment services sectors that may engage in a contract with or assess an application from the data subjects.

The controller alleged:

  1. They did not have a proper opportunity to defend themselves, as the deadline for allegations was too short.
  2. Some of the erasure requests had already been properly responded to.
  3. Some of the claims regarding rights requests had not been exercised before the controller previously to the claim.
  4. According to the former Data Protection Directive, to the former Spanish Data Protection Act (in its Article 29), to the CJEU (C-468/10 y C-469/10, Asnef, Fecemed), and to the Article 29 WP, controllers providing services for financial solvency and creditworthiness on legitimate interest. They also cited AEPD resolutions that decided in the same sense.
  5. Post-GDPR, they accuse the AEPD of changing their previous criterion, while knowing that these behaviour is common and generally permitted (the AEPD was processing recommendations on this matter at the time of the proceeding).
  6. They consider that the initial sanction proposal was disproportionate, what would expel them from the market, benefiting other companies that carry out the same practices. They also alleged that, according to criminal law principles, there should be a concurrence of violations, and that they should not be individually fined for all of them.
  7. A Spanish act allows for the re-utilization of information from the public sector.
  8. The legal concept of "publicly accessible sources" implies the potential knowledge and access by any person.
  9. They rely on the legitimate interest, according to the the Article 29 WP, that requires a link between the interest and the purpose of the processing, a necessity assessment and a favourable balancing test. Also, they allege that the data subject has a reasonable expectation for their data to be processed in such a way.
  10. Regarding the accuracy principle, they argue that accuracy of data released by public bodies must be presumed to be accurate. In addition, the Spanish Data Protection Act (Article 4(2)) states that the obligation of ensuring accuracy is not attributable to the controller when data are collected from public sources if the controller ensures that they are rectified in due time when requested.

The Spanish DPA found that the data of 282.037 persons had been included in the files since the entry into force of the GDPR. It also found that, despite Equifax alleging the contrary, there was no proof of notification to the data subjects in accordance to Article 14.

Holding

On formal defects

The AEPD dismissed Equifax's arguments regarding the lack of possibility of defence, alleging that they had followed the procedure established by law.

On the change of criterion

Additionally, the authority found that the processing had also taken place after the entry into force of the GDPR, therefore making it irrelevant for these purposes that part of it started while the Directive was still in force.

Regarding the change of criterion, the AEPD argued that, logically, they were entitled to change their criterion, specially when a new regulation had been passed. In this regard, the AEPD noted that the GDPR did not mention publicly accessible sources anymore for this matter, and that such Regulation repelled the former Spanish Data Protection Act, that allowed the processing for financial solvency and creditworthiness purposes when obtained from public sources, thus changing the legal framework existing until the moment for this type of processing.

On the purpose limitation principle

On the purpose limitation principle, the AEPD argues that when data is processed with basis on a legitimate interest, according to Article 6(4) GDPR it must be assessed if the purpose is compatible with the purpose for which the personal data are initially collected. In this case, the reason why the data were initially collected has no connection or similar context to the purpose that Equifax alleges for processing the data. The data were initially collected and published by public institutions for notification purposes, with basis on a national law that pursues a public interest, namely the right to effective legal protection, enclosed in Article 24 of the Spanish Constitution.

Therefore, the starting point for the analysis is the origin of the data, and the purposes why such data was collected and later published. There is, in view of the AEPD, no connection between one purpose (a public notification, that constitutes a guarantee to preserve a fundamental right of the data subject, and that therefore overrides their right to data protection) and Equifax's purpose (providing potential harmful or negative information about the data subjects to different businesses). There is no similarity between the context of both processing activities, and between the possible consequences of the processing, and there are no additional safeguards to prevent any risks in the processing. Additionally, the AEPD argues that there could not have been any reasonable expectation of the data subjects for their data to be processed in such a way, given the context.

According to the AEPD, it was responsibility of the controller to assess whether the purposes were compatible and to comply with the regulation, as stated in Article 5(2) GDPR. And, they add, Equifax was aware that their purpose was not compatible with the initial purpose, as can be inferred by the allegations made during the investigation, when they allege that they are entitled to carry out subsequent processing for statistical and scientific purposes.

The AEPD also notes that their allegation regarding the Spanish act for the re-utilization of information from the public sector explicitly states (in its Article 4) that when personal data are involved, the data protection regulations will apply. This was also clarified by the State Agency of the Official State Gazette, that stated that re-utilization of their data was not lawful when pursuing economic profit. In fact, they say, such information is only available for 3 months.

Although the controller alleges, referring again to the change of criterion, that the mentioned text related to the purposes had not changed, the AEPD found that Equifax is intentionally mis-interpreting the content of the norm, interpreting the phrasing of "purpose for which the personal data are initially collected" as the purpose for which Equifax collected the data from the public sources, not as the initial collection of data by the administration in a first place, that is what the regulation refers to.

Therefore, the AEPD concluded that Equifax had violated the purpose limitation principle enclosed in Article 5(1)(b) GDPR.

On the lawfulness of processing

On this matter, the AEPD argued that, according to Article 5(1)(a) GDPR, Recital 39 and Article 6(1)(f), an interest can only be legitimate if it is lawful in the first place. However, as explained in the previous section (and following sections), the processing carried out by Equifax was not lawful, and therefore their interest can never be legitimate.

However, the AEPD decided to anyhow carry out an analysis on the legitimate interest brought forward by Equifax. The legitimate interest alleged by Equifax had a double interest:

  • an interest (from the controller and the third parties to be recipients of the data) linked to the assessment of the financial solvency of the data subjects,
  • an interest linked to fraud prevention.

To assess whether Equifax could rely on a legitimate interest for the processing, the authority suggests an analysis based on the Article 29 WP guidelines on legitimate interest.

The AEPD concludes, firstly, that the processing is not strictly necessary to achieve the purpose alleged. They argue that such purpose can be achieved by other means, and that the terms "convenience" and "necessity" shall not be mistaken. Nor was the processing adequate, given that the data collected were not updated, inaccurate, and did only represent a little part of the population. And nor was there a balance between the interests of the controller and the negative consequences posed to the data subjects, that additionally could in any way have a reasonable expectation for such processing to happen.

Therefore, the AEPD concludes, the fundamental right to data protection would override the legitimate interests of the controller (and third parties). The convenience of the actors that represent any economic sector is not proportional to the violation that such processing would incur in.

With regards to Article 29 from the former Spanish Data Protection Act, that allowed credit reporting agencies to use public data, the AEPD alleges that such law was repelled when the GDPR came into force. Even if the current Data Protection Act has an Article allowing such systems, the norm does not mention public sources anymore, but refers to a scenario in which the creditor communicates the debts to the credit reporting company. These last systems are substantially different from the ones that collect data from public sources, as they deal with accurate information, the data is directly obtained from the creditor (therefore not violating the limitation purpose principle) and use adequate safeguards to ensure compliance with GDPR.

The AEPD also accuses the controller of not being able to demonstrate the alleges compliance, as they considered unnecessary, when the GDPR and the new Data Protection Act entered into force, to carry out a legitimate interest assessment.

Therefore, without being able to rely on legitimate interest, the controller processed data without a legal basis, infringing Article 6(1) GDPR, in relation with the lawfulness principle established by Article 5(1)(a) GDPR.

On the accuracy principle

Article 5(1)(d) GDPR establishes that personal data shall be accurate and, where necessary, kept up to date. In addition to this, Recital 39 obliges the controller to undertake any reasonably necessary action to ensure this. Therefore, the AEPD says, a controller shall not process data if it is not able to ensure the accuracy of the data, and that they are kept up to date.

Additionally, the AEPD argues that, if the purposes for which the data was collected are different, it is also possible that the level of accuracy required is different too. In this case, they reason, the level of accuracy necessary to notify a data subject of a debt is not the same as the level of accuracy necessary to assess the financial reliability of a person.

Also, the purpose of a notification is to inform a person of a situation that exists in a particular moment. It is highly probable that such situation will change in the future, for example because the person fulfills their obligation and cancels the debt. The nature of the files created by the collection of data by the controller is completely different: they intend to asses the financial situation of the data subjects in a moment that is different from the moment of the notification. Therefore, it is impossible for the controller to keep the data up to date, as once the precise moment of the notification passes, the data may not already be updated. However, the AEPD found in the database data collected in 2013.

Also, the AEPD says, not all the data collected can be attributed to a person without doubt, given that two persons can have the same name, and ID numbers are not always published, or published only partially. The address, that is also used to distinguish persons, is not always available either.

In this regard, the AEPD remarks that, without properly being able to identify the subjects to which the data belong, it is unlikely that the controller can adequately achieve the interests that they allege.

The importance of these circumstances is confirmed by the fact that some of the complainants had suffered from lack of accuracy, either because they were not the debtors or either because they had already pay such debt, for instance.

Hence, the AEPD found a violation of Article 5(1)(d) GDPR.

On the data minimization principle

Regarding the data minimization principle, the AEPD remarks that processed personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The GDPR requires that the categories of data that are used should be adequate to achieve the purposes of the processing. Additionally, data should be adequate and relevant, meaning that if they constitute an inference on rights and fundamental freedoms, they will be considered excessive.

Here, the AEPD emphasizes the impossibility of complying with the rest of the principles when violating the purpose limitation principle, as the ones are conditioned by the other.

The fact that the purpose of the initial collection differs from the subsequent processing by Equifax means that the data are not accurate anymore, and therefore they are not adequate for the purposes that the processing seeks. This is also related to the fact that the purpose of the initial collection differs from the subsequent processing, so the reason why certain data and categories of data were disclosed in the first place do not match the purpose and interests that Equifax has.

When referring to public notifications, the purpose of the processing is to be able to notify the debtor. For this, only certain categories of data are required. In fact, following the GDPR principles, the Spanish law imposes a minimization of the data that are to be published in order to notify. As of 2019, the address shall not be published, and names and surnames can never be published together with the ID number, that can only include four random chosen numbers.

Therefore, for the purposes of Equifax, this data was not adequate, what led to a violation of Article 5(1)(c).

This, apart from leading to inaccuracy when Equifax collects the data, leads to the impossibility of the controller to notify the data subjects in accordance with Article 14 GDPR, and also spotlights why infringing Article Article 5(1)(b) leads to the violation of other Articles and principles.

On the obligation to inform the data subjects

With the entry into force of the GDPR, the controller entered into an obligation to provide certain information to the data subjects when their data is processed. However, it is obvious, the AEPD, that Equifax did not notify all the data subjects which data were processing. While the database contained data of more than 4 million persons, the controller had only notify around 340,000 data subjects.

As previously stated, given that the addresses of the notified persons were not published anymore, the controller was not able to access them and therefore could not notify the data subjects. The AEPD remarks that even the data that were collected before the GDPR entered into forced were also subject to this obligation, given the fact that the data are still being processed.

Therefore, the AEPD found a violation of Article 14 GDPR.

Proportionality and concurrence of violations

The controller considered that the initial sanction proposal was disproportionate, since it would have expelled them from the market, benefiting other companies that carry out the same practices. The AEPD disregarded this argument, given that the controller was basing their business activities, on this matter, in the illegal collection of personal data. This was not an occasional behaviour, they alleged, but the core of such activity.

Therefore, the AEPD concluded that the imposed sanctions (namely, the fine, the stop of the processing and the order to erase the data) were appropriate and proportional.

The controller also alleged that, according to criminal law principles, that shall also be applied to administrative sanction proceedings, there should be a concurrence of violations, and that they should not be individually fined for all of them.

In this regard, the controller pleaded that there exists a concurrence of violations, and that they should not be individually fined for all of them. The "concurso medial" figure (that may be translated as "instrumental concurrence") from Spanish criminal law implies that, when an offence is instrumental to another offence (i.e., one offence is committed to be able to commit the second one), the perpetrator will be guilty of both offences but sentenced to the sanction established for the main offence, on its highest level.

This is enclosed in the Spanish administrative legislation in Article 29(5) of the Spanish Act on the legal regime of the Public Sector, that states that when an offence is derived from the perpetration of other offences, only the sanction for the more serious offence will be imposed.

In such a sense, the authority concluded that the main, initial, and more relevant violation was the violation of the purpose limitation principle, from which the other violations derive. Therefore, given that Article 6(1), Article 5(1)(a), Article 5(1)(d), Article 5(1)(c), and Article 14 GDPR were infringed in connection to Article 5(1)(b), the AEPD considers that they can only sanction the controller for the main violation.

Sanction

In order to define the amount of the fine, the AEPD took into account the fact that the violation did not come from an isolated infringement or the result of a one-off irregularity. The AEPD remarked that the behaviour is a modus operandi articulated perfectly outside the law which, that takes advantage of official publications containing personal data, and that seeks to obtain an economic benefit by providing a service to third parties related to information on the solvency of the affected data subjects. The scope of this processing operation transcends the affected claimants and extends to all natural persons whose data have been included in official publications in the past or may be included in the future.

It is therefore a structural case of non-compliance with the GDPR and the legislation guaranteeing the fundamental right to data protection derived from Article 18(4) of the Spanish Constitution. Additionally, the personal data of the data subjects may be communicated to third parties, even if its processing clearly violates the GDPR. The extent of the damage that may result from this processing is unpredictable.

The AEPD's initial sanction proposal included higher fines.

  • Violation of Article 6(1), in relation with Article 5(1)(a): €3,000,000 fine + prohibition of processing + erasure of the data
  • Violation of Article 5(1)(d): €3,000,000 fine + prohibition of processing + erasure of the data
  • Violation of Article 5(1)(b): €1,000,000 fine + prohibition of processing + erasure of the data
  • Violation of Article 5(1)(c): €1,000,000 fine
  • Violation of Article 14: €1,000,000 fine

The AEPD finally reduced both €3,000,000 fines to €1,000,000 fines, and applied the figure of concurrence of offences, which led to an only sanction for the main violation of Article 5(1)(b).

Therefore, the Spanish DPA fined Equifax €1,000,000 for the violation of Article 5(1)(b), in relation with the violations of Article 6(1), Article 5(1)(a), Article 5(1)(d), Article 5(1)(c), and Article 14 GDPR.

The DPA also ordered Equifax to stop the processing and to delete all the personal data in their File on Judicial Complaints and Public Bodies, obtained through public sources, that were being subject to such processing, with grounds on Article 58(2)(f) and Article 58(2)(g), respectively.

Comment

The decision, being 184 pages long, includes many details that are not conveyed in this summary because they are not relevant for the outcome of the case and the interpretation of the GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


Page 1
1/184
 Procedure No.: PS / 00240/2019
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and in
consideration to the following
BACKGROUND
FIRST: They have been received by the Spanish Data Protection Agency (AEPD)
ninety-six ( 96 ) claims against EQUIFAX IBÉRICA, SL, with NIF
B80855398 , (hereinafter, the claimed or EQUIFAX) for alleged violation of the
data protection regulations.
The claims relate to the processing of the personal data of the
claimants made by EQUIFAX and materialized in its incorporation into the File of
Judicial Claims and Public Bodies (hereinafter, FIJ) associated with
alleged debts mostly contracted, presumably, with Administrations
Public. In general, the personal data subject to treatment linked
alleged debts appeared in documents of the Public Administrations, the
Public Law entities or bodies dependent on them or in resolutions
of the jurisdictional bodies that were published through newsletters or newspapers
officials, by inserting them on the bulletin boards located at the headquarters of
entities or agencies or in the sole judicial notice board, with the purpose of
make effective the notification of an administrative or judicial resolution.
EQUIFAX IBÉRICA, SL, with NIF B80855398, is responsible for the FIJ. So has
recognized in any of the documents in the file, such as the letter
sent to complainants number 36 (E / 6174/2019), number 43 (E / 11624/2019) and
number 48 (E / 2050/2020) to inform you of the inclusion of your personal data in
the FIJ.
It should also be remembered that the repealed Organic Law 15/1999, on the Protection of
Personal Data (LOPD) regulated in its articles 14 and 39 the Registry
General Data Protection, for public consultation, which reported on the
data processing, the purposes of these processing and the identity of the
responsible for the treatment. In the aforementioned Registry -updated to June 2016-
EQUIFAX appeared as responsible for the FIJ, being the purpose of the file and the uses
provided for the " provision of credit and capital solvency services ".
Although the opening agreement and the motion for a resolution indicated that they were
97 the claims made against EQUIFAX, and this is stated in the list of
claimants listed in Annex I and in the description of the claims
(First Antecedent), there are actually 96 claims that make up this
file, taking into account that claimant 3 and 27 are the same person as
has presented different attached documentation at two different times.
Taking into consideration that we should not make any rectification in the
Second Antecedent, inasmuch as said Antecedent was incorporated into the relationship of
proven facts as First Proven Fact, its content is not altered, which
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 2
2/184
remains as it was in the motion for a resolution, limiting ourselves to indicating
hereinafter, there are 96 and not 97 claims made against EQUIFAX that
have determined the opening of this sanctioning file.
SECOND: From the examination of the claims received in the AEPD and its
attached documents the following relevant information is extracted for the purposes that we
occupy:
Claimant 1: Declares that EQUIFAX has included their data in the FIJ, without their
authorization, for debts that are not true and without having contrasted with the
City Council the reality of the debt. Provides, among others, the following documents:
to. Letter from EQUIFAX, dated 10/14/2019, with the result of access to the FIJ.
It is associated with the personal data of the claimant (name, surname and NIF) the
following information: Under the heading " Claims from public bodies ", there is no
data ”Under the heading“ Judicial Claims ”:
- An annotation: *** CITY COUNCIL.1 appears as plaintiff; What
" tax debt " procedure ; as a means of publication " *** BOLETIN.1"
and the date 10/11/2017.
b. The letter that the claimant sent to the respondent, dated 10/12/2019, in which
requested that their data be deleted from the FIJ, at least on a precautionary basis. The letter
of EQUIFAX addressed to the claimant, dated 10/24/2019, in which he denies the
requested cancellation and informs you that it is not appropriate to attend it since
provided documentation that justifies the deletion of your data. (It is the letter model
EQUIFAX denying the cancellation that is reproduced in the Third Event)
Claimant 2: Report the inclusion of your data in the FIJ without your consent.
It provides, among others, these documents:
to. Letter from EQUIFAX, dated 11/04/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information: Under the heading " Claims from organizations
public ”, there is no data. Under the heading " Judicial Claims ", these annotations:
- 1st entry: as plaintiff the *** CITY COUNCIL. 2 , for a
tax debt procedure; publication medium, “ *** BOLETIN.2” and the
Date of 09/02/2016.
- 2nd entry: plaintiff, *** CITY COUNCIL.3 ; by a procedure of
Tax debt; publication medium, “ *** BOLETIN.3” and the date of
09/09/2015.
- 3rd entry: plaintiff, *** CITY HALL.3; by a procedure of
Tax debt; publication medium, “ *** BOLETIN.3” and the date on
07/06/2016.
- 4th entry: plaintiff, the *** CITY COUNCIL.3; by a procedure of
Tax debt; publication medium, “ *** BOLETIN.3 ” and the date on
03/01/2017.
- 5th entry: plaintiff, the State Tax Administration Agency
(AEAT); through a tax debt procedure; publication medium,
" Tax Agency Headquarters" and the date 10/20/2017.
- 6th entry: AEAT plaintiff; through a tax debt procedure;
publication medium, " Tax Agency Headquarters " and the date 06/08/2018.
- 7th entry: plaintiff the AEAT; through a tax debt procedure;
publication medium, " Tax Agency Headquarters " and the date 07/27/2018.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 3
3/184
- 8th entry: AEAT plaintiff; through a tax debt procedure;
publication medium, " Tax Agency Headquarters " and the date 08/12/2019.
- 9th entry: applicant on *** CITY HALL.4; by a procedure of
Tax debt; publication medium, “ *** BOLETIN.3” and the date on
11/30/2015.
- 10th entry: plaintiff the AEAT; for a debt procedure
tax; publication medium, " Tax Agency Headquarters " and the date of
07/27/2018.
- 11th entry: plaintiff the AEAT; for a debt procedure
tax; publication medium, " Tax Agency Headquarters " and the date of
08/12/2019.
- 12th entry: applicant on *** CITY HALL.4; for a procedure
of tax debt; publication medium, “ *** BOLETIN.3 ” and the date
11/30/2015.
b. The letter from EQUIFAX, dated 11/12/2019, in which it denies the cancellation that
requested on 11/03/2019 and communicates that it is not appropriate to attend to her for not having contributed
documentation that justifies the deletion (It is the EQUIFAX letter model denying the
cancellation that is reproduced in the Third Event)
Claimant 3: States in his claim that Bankia did not respond to the access
requested and that, in November 2017, when he was trying to arrange a loan, the
Director of the Bankia branch informed him that his NIF was included in the FIJ
associated with the name of a third person, who was recorded as being born in
*** LOCALIDAD, 1, and that the information came from the Ministry of Development and
Housing *** LOCALIDAD.1.
The AEPD, prior to the agreement of admission to processing of this claim,
He transferred her to Bankia to report on the events denounced. In its
In response, Bankia sent the AEPD a copy of the letter sent to the claimant on
02/06/2019 in which he informed him that, with respect to the FIJ, as he was informed in
his office, a query would appear associated with his NIF, but not his name and surname.
He also added that the FIJ “is a database which has information about
legal proceedings and claims of public bodies that is obtained
of the Official State Gazette and similar bulletins of the Autonomous Communities. The
information contained therein, therefore, is not reported by Bankia so
to know what data is processed in it, you should go to. ... "
Claimant 4: States that their data, associated with alleged debts with the
Public Administrations, have been included in the FIJ without their authorization and without the
creditor has informed you of the possibility of being included in those systems. Add
that EQUIFAX has not verified the data with the Administrations. Provides, between
others, these documents:
to. Letter from EQUIFAX, dated 11/05/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information:
Under the heading " Claims from public bodies ":
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 4
4/184
- An entry: claiming entity Social Security; for a debt
corresponding to the period “06/2016 - 06/2016”; being the “Medium of
Publication ”*** BULLETIN.1 and the date of publication 02/22/2018.
Under the heading " Judicial Claims " the following are included in the document
annotations:
- 1st entry: applicant the *** CITY COUNCIL.1 ; debt procedure
tax; means of publication *** BULLETIN.1 and the date 03/23/2015.
- 2nd entry: *** ORGANISMO.1 is the plaintiff ; process
Tax debt; publication medium, *** BULLETIN.5 and the date of
02/23/2018.
- 3rd entry: plaintiff the AEAT; tax debt procedure; source of
publication, " Tax Agency Headquarters " and the date of 08/08/2019.
- 4th entry: plaintiff the AEAT; tax debt procedure; source of
publication, “ Tax Agency Headquarters ” and the date 10/26/2018.
- 5th entry: plaintiff the General Treasury of the Social Security;
Urgency procedure; publication medium “ *** BOLETIN.1” and the date
07/19/2018.
b. The letter received from EQUIFAX, dated 11/05/2019, in which it denies the cancellation that
She requested on 11/04/2019 and informs her that it is not appropriate to attend her since she has not
provided the documentation that justifies the deletion. (It is the EQUIFAX letter model
denying the cancellation that is reproduced in the Third Fact)
Claimant 5: States that their data, associated with alleged debts with the
Public Administrations, have been included in files without their authorization and that
EQUIFAX has not verified the data with the Administrations. It provides, among others,
this documents:
to. Letter from EQUIFAX, dated 11/14/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information: Under the heading " Claims from organizations
public ”“ No data ”. Under the heading " Judicial Claims" the following
annotations:
- 1st entry: applicant the *** CITY COUNCIL.1; debt procedure
tax; means of publication *** BULLETIN.1 and the date of 04/22/2014.
- 2nd entry: applicant on *** CITY HALL.4; procedure the
indication of tax debt; means of publication *** BULLETIN.1 and the date of
05/20/2015.
b. The letter received from EQUIFAX, dated 11/25/2019, in which they deny the
cancellation requested on 11/14/2019 and they inform you that since you have not contributed
documentation that justifies the deletion, it is not necessary to attend to your request (It is the
EQUIFAX model letter denying the cancellation that is reproduced in the Fact
Third)
Claimant 6: Report the inclusion of your personal data in delinquent files
obtained from public listings such as the BOE despite not having any debt with the
Public administrations. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 11/11/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 5
5/184
provides the following information: Under the heading " Claims from organizations
public ”, there are no data. Under the heading " Judicial Claims " are the
following six annotations:
- 1st to 6th: as plaintiff the AEAT; as a procedure, tax debt;
as a means of publication, " Tax Agency Headquarters" and the dates,
respectively, on 10/26/2018, 01/18/2019, 02/22/2019,
07/22/2019, 10/10/2019 and 05/24/2019.
b. The letter received from EQUIFAX, dated 10/21/2019, in which it responds to the access
requested. In it they inform you that they send “ the information associated with your identifier
or in your name and at the address provided by you. " (It is the EQUIFAX letter model of
response to the requested access that is transcribed in the Third Fact)
Claimant 7: You report the inclusion of your data in the FIJ without your consent,
Obtained from publications in official journals and without having verified their accuracy.
It provides, among others, these documents:
to. Letter from EQUIFAX, dated 12/13/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information: In the section " Claims from organizations
public ”there are no data. In the section “ Legal claims ” five
inclusions:
- 1st entry: applicant on *** CITY COUNCIL.3; procedure, debt
tax; publication medium, *** BULLETIN. 3 and the date 08/09/2017.
- 2nd entry: plaintiff the AEAT; procedure, tax debt; source of
publication, " Tax Agency Headquarters " and the date 01/16/2014.
- 3rd entry: AEAT plaintiff; tax debt procedure; source of
publication, " Tax Agency Headquarters " and the date 02/04/2019.
- 4th entry: applicant on *** CITY COUNCIL.5; debt procedure
tax; publication medium, *** BOLETIN.3 and the date 02/26/2016.
- 5th entry: applicant on *** CITY HALL.3; debt procedure
tax ; publication medium, *** BOLETIN.3 and the date 11/24/2017.
b. The letter from EQUIFAX, dated 12/20/2019, in which it denies the request for
cancellation of your FIJ data “ since you have not provided documentation that
justify the deletion, it is not necessary to attend to your request ”. (Equifax letter model
denying cancellation transcribed in the Third Fact)
Claimant 8: Report the inclusion of your data in the FIJ without your consent
obtained from the publication in official gazettes, without having contracted their veracity and
accuracy. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 12/11/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information: In the section " Claims from organizations
public ”no data. In the section " Legal claims ":
- An entry: applicant the *** CITY HALL.3 ; procedure, debt
tax; publication medium, *** BULLETIN.6 and the date 06/23/2017.
b. The letter from EQUIFAX, dated 12/11/2019, in which it denies the cancellation of
your FIJ data. (EQUIFAX model letter denying the cancellation reproduced in
the Third Antecedent)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 6
6/184
Claimant 9: Report the inclusion of your personal data in the FIJ without your
consent for debts that you do not recognize as yours. It provides, among others, the
following documents:
to. Letter from EQUIFAX, dated 12/27/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information: In the section " Claims from organizations
public ”no data. In the section " Legal claims " it appears:
- 1st entry: applicant the *** CITY COUNCIL.1; debt procedure
tax; means of publication *** BULLETIN.1 and the date 05/01/2014
- 2nd entry: plaintiff the AEAT; tax debt procedure; source of
publication " Tax Agency Headquarters " and the date 02/01/2019.
- 3rd entry: applicant on *** CITY HALL.6; debt procedure
tax; means of publication *** BULLETIN.1 and the date 11/22/2019.
b. The letter received from EQUIFAX, dated 12/27/2019, in which it responds to your
acce request so their data the IJF held on 26.12.2019 and refer " the
information associated with your identifier or your name and at the address provided by
you". (Model letter of response to the requested access, see Third Fact)
Claimant 10: Report the inclusion of your data in the FIJ for debts that are not
recognize. Provides, among others, the following documents:
to. Letter from EQUIFAX, dated 11/22/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information: In the section " Claims from organizations
public ”no data. In the section " Legal claims ":
- An annotation: applicant the *** ORGANISMO.2; debt procedure
tax; means of publication *** BULLETIN. 7 and the date of 07/10/2019.
b. The letter that EQUIFAX sends you, dated 11/22/2019, in which you respond to the access
requested on that same date and provides “ the information associated with your identifier or
your name and the address provided by you. " (Model letter of response to access
requested, see Third Fact.
Claimant 11: Report the publication of your personal data in files of
solvency without your authorization obtained from public files. It provides, among others, the
following documents:
to. Letter from EQUIFAX, dated 09/26/2019, with the result of access to the FIJ, in the
that associated with your personal data (name, surname and NIF) the following is provided
information: In the section " Claims from public bodies ", there is no data.
In the section " Legal claims ":
- An annotation: applicant the *** CITY COUNCIL.7; procedure, debt
tax; publication medium, *** BULLETIN. 8 and the date 12/22/2017.
b. The letter that EQUIFAX sends you, dated 09/26/2019, in which you respond to the access
requested and sends you “ the information associated with your identifier or your name and in the
address provided by you. ”. (Model letter of response to the requested access, see
Third Fact)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 7
7/184
Claimant 12: Report the publication of your data in solvency files without your
authorization from public files. It provides, among others, the following
documents:
to. Letter from EQUIFAX, dated 09/27/2019, with the result of access to the FIJ, in the
that, associated with the personal data of the claimant (name, surname and NIF),
provides the following information: In the section " Claims from organizations
public ”no data. In the section " Legal claims ":
- An annotation: plaintiff the AEAT; procedure, tax debt; half
of publication, "Tax Agency headquarters " and the date 02/10/2017.
b. The letter that EQUIFAX sends you, dated 09/27/2019, in which you respond to the access
requested and sends you “ the information associated with your identifier or your name and in the
address provided by you ”. (Model letter of response to the requested access, see
Third Fact)
Claimant 13: Denounces the publication of your data in solvency files
patrimonial, without your authorization, obtained from public files. It provides, among others, the
following documents:
to. Letter from EQUIFAX, dated 11/29/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information: In the section " Claims from organizations
public ”, there is no data. In the section " Legal claims ":
- An annotation: *** CITY COUNCIL.8; What
procedure, tax debt; as a means of publication, *** BULLETIN.9 and
the date 05/31/2019.
b. The letter that EQUIFAX sends you, dated 11/29/2019, in which you respond to the access
requested and sends you “ the information associated with your identifier or your name and in the
address provided by you ”. (Model letter of response to the requested access, see
Third Fact)
Claimant 14: You report the publication of your data in the FIJ, without your authorization,
obtained from public files. Provides, among others, the following documents:
to. Letter from EQUIFAX, dated 10/17/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information: In the section " Claims from organizations
public ”, there is no data. In the section " Legal claims ":
- 1st entry: plaintiff the *** ORGANISMO.3; procedure, debt
tax; publication medium, *** BULLETIN.1 and as of the date 10/02/2019.
- 2nd entry: plaintiff the AEAT; procedure, tax debt; half
of publication, " Tax Agency Headquarters " and as of 01/24/2018.
b. The letter from EQUIFAX, dated 10/17/2019, in which it responds to the access
requested and sends you “ the information associated with your identifier or your name and in the
address provided by you ”. (Model letter of response to the requested access, see
Third Fact)
Claimant 15: Report the publication of your data in the FIJ, without your authorization,
from public files. Provides, among others, the following documents:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 8
8/184
to. Letter from EQUIFAX, dated 11/26/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information: In the section " Claims from organizations
public ”no data. In the section " Legal claims ":
- An annotation: applicant the *** CITY COUNCIL.7; for a procedure
of tax debt; medium of publication, *** BULLETIN.8 and the date
02/20/2019.
b. The letter that EQUIFAX sends you, dated 11/26/2019, in which you respond to the access
requested and sends you “ the information associated with your identifier or your name and in the
address provided by you ”. (Model letter of response to the requested access, see
Third Fact)
Claimant 16: You report the inclusion of your data in the FIJ, without your consent,
for debts that are not true. Provides, among others, the following documents:
to. Written with the EQUIFAX anagram, dated 10/14/2019, with the result of the
access to the FIJ, in which associated with the claimant's personal data (name,
surnames and NIF) this information is offered:
In the section " Claims from public bodies ":
- 23 annotations in which, in all of them, the claiming entity appears as the
Social Security. The annotations are for debts corresponding to periods
monthly and correlative, the first being September 2016 and the last
July 2018. The means of publication of the 23 inclusions in which it appears as
creditor Social Security is always *** BOLETIN.3, being the dates of
publication those included between 12/01/2016 (that of the first annotated debt) and the
from 09/20/2018 (that of the last debt included)
In the section " Legal claims ":
-An entry: as plaintiff the General Treasury of the Social Security; What
procedure "constraint"; the medium of publication is *** BOLETIN.3 and the date
01/24/2017.
b. A letter from EQUIFAX, dated 10/14/2019, in which it responds to the access request
to your data that appear in the FIJ and sends you “ the information associated with your
identifier or your name and address provided by you. " (Model letter of
response to the requested access, see Third Fact)
c. A letter from EQUIFAX, dated 7/01/2020, in which you respond to the cancellation
requested by the claimant on 01/03/2020 and informs him that they do not include
inclusions associated with your data for debts with public bodies. The claimant
provides the document that he received from EQUIFAX on that same date, 01/07/2020, with the
information included in the FIJ associated with your name, surname and NIF. In this
document no longer appear annotations in the section " Claims of organizations
public ” that did appear (24 entries) on 10/14/2019. It is only reflected in the
section " Legal claims" the aforementioned incident.
Claimant 17: Complaint that EQUIFAX has not attended to the cancellation of your data
of the FIJ despite having passed " the stipulated period of six years ." It contributes, among others
documents, the following:
to. Letter from EQUIFAX, dated 02/21/2019, with the result of access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF), the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 9
9/184
following information: In the section " Claims from public bodies " there is no
data. In the section " Legal claims " it appears:
- 1st entry: as plaintiff, *** CITY COUNCIL.2; What
procedure, tax debt; as “Court and Order No. ” “1408387/0
Local Administration ”; as a means of publication, *** BULLETIN.2 and the date
on 08/25/2017.
- 2nd entry: as plaintiff, *** CITY COUNCIL.9; What
procedure, tax debt; as " Auto and Court No." " 29553/000
Local Administration ”; as a means of publication, *** BULLETIN.2 and the date
on 10/03/2013.
- 3rd entry: as plaintiff, *** CITY COUNCIL.9; What
procedure, tax debt; as "Court and Order No. " "3892245/0
Local Administration ”; as a means of publication, *** BULLETIN.2 and the date
on 11/30/2015.
- 4th entry: as plaintiff, the *** CITY COUNCIL.8; What
procedure, tax debt; as "No. of Order and Court " "239/0000
Local Administration ”; as a means of publication, *** BULLETIN.9 and the date
on 09/05/2013.
b. The letter from EQUIFAX to the claimant, dated 02/21/2019, in which he denies the
cancellation of your FIJ data for not having provided documentation that justifies
deletion . ( Model letter of response to the cancellation request, see Fact
Third)
c. The AEPD, prior to the admission for processing of the claim, gave transfer
of her to EQUIFAX on 03/27/2019 and asked her to report the facts
reported. The respondent responds on 04/02/2019 and explains that she could not access
the cancellation requested because the payment of the debts was not credited.
Claimant 18: Complaint that on 02/05/2019 requested EQUIFAX to cancel its
FIJ data, since they appeared associated with debts with Social Security and the
Non-existent AEAT. It adds that it provided EQUIFAX with the certificates issued by the
General Treasury of the SS and by the AEAT that certify that it has no debts
pending and after a month, has not received a response. Provide a copy, among others,
of the following documents:
to. Letter from EQUIFAX, dated 01/03/2019, 02/21/2019 addressed to the claimant, in the
that responds to the requested access and with which it transfers a document with the
information that works in the FIJ. The document contains your personal data
(name, surname and NIF) associated with this information:
In the section " Claims from public bodies ", an annotation in which
Social Security appears as the creditor entity; for a period of time
between 4/13 to 4/13; as a means of publication it is indicated "SSS ELECTR (...) " and as
Date 07/19/2013.
In the section " Legal claims ", an annotation: as plaintiff the AEAT;
as a tax debt procedure; as Auto and Court number “ 59300188/0
Local Manager ”; as a means of publication, " Tax Agency headquarters " and the date on
09/08/2017.
b. Written document that the claimant sends by burofax dated 02/05/2019 to EQUIFAX and
through which you exercise the right of cancellation. The claimant referred EQUIFAX
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 10
10/184
with said writing, two certificates issued by the General Treasury of the SS and by
the AEAT, Special Delegation, which certifies that it has no outstanding debts to date
01/19/19. Both documents identify the person of the claimant by his
name, surname and by the NIF. In addition, the document issued by the TGSS
incorporates this data: " *** DATA.1".
c. In the absence of a response from EQUIFAX to your cancellation request, the
claimant filed a claim with the AEPD of which this Agency gave
transfer to EQUIFAX to report on the facts set forth therein. The
claimed responds to the AEPD on 04/12/2019 and states:
“ As of 04/12/2019, no registered data appears that could be associated with your
Name and address. An incident is registered in the name of AAA, but
associated with a totally different address to those that the affected person has provided in his
claim". " If you want to be consulted in other addresses where you have been able to
have previously resided, and thus verify with certainty whether or not it is data
associated with their identity, must facilitate a relationship of them "
“ However, we inform that the identifiers that the owner provides in the
certificates of being up to date with Social Security obligations (NAF)
nor do they correspond to those associated with the incidence discharged from
our files, so it is not possible for us to proceed with the cancellation " (The
underlined is from the AEPD)
Later, it adds that after receiving on 02/06/2019 through burofax the request for
cancellation of the claimant and " the necessary documentation" " is
verifies that there is no registered data associated with your name and address or your
DNI. There is an incident in the name of AAA , but associated with an address
different from those that the owner has provided us in his request, Therefore, the answer
issued is that “there is no registered data associated with your identifier / name and in the
address provided and that if you had resided in other addresses where you would like to be
consulted can send us a request expressly mentioning them ". (The
underlined is from the AEPD)
EQUIFAX sends the AEPD a document with the information that is in the FIJ
associated with the name and two surnames of the claimant, but not his / her NIF, since no
The NIF is provided as the section for this information is empty. In that document,
in the Claims from Public Bodies section there is no information and in the
In the Judicial Claims section, this annotation appears: as plaintiff the
TGSS; as a procedure, Urgency; as Auto and Court number “ 192987/20
UNIT. REC. EXECU. ”; publication medium, " SS S ELECTR ASTURIAS " and the date
04/28/2013.
Claimant 19: Report the inclusion of your data in solvency files by a
Non-existent debt with the *** CITY COUNCIL. 2. He claims to have addressed the aforementioned
City Council in which they inform you that there are hundreds of cases like yours by
debts that are not true. Provides, among others, the following documents:
to. Letter from EQUIFAX, dated 03/18/2019, with the result of accessing the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF), the
Next information:
In the section " Claims from public bodies ", there is no data.
In the section " Legal claims" there is an annotation: As a plaintiff,
the *** CITY COUNCIL. 2; as a procedure, tax debt; as Car Number
and Court, “ *** REFERENCE.1”; as a means of publication, *** BULLETIN.2 and the date
12/05/2016.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 11
11/184
b. A certificate issued by the *** CITY COUNCIL.2 on 03/21/2019, indicating the
Claimant, identified by his name, surname and NIF, does not appear as a debtor of the
Municipal Public Finance for tax concepts that as of the date are
They are in the executive collection period.
Claimant 20: Report the inclusion of your data in a file of defaulters
associated with a non-existent debt with the Tax Agency. Refer to EQUIFAX
Negative certificate from the AEAT that certifies that you are up to date with payment.
Received the claim in this Agency, before agreeing its admission to processing,
He transferred it to the respondent so that she could provide information.
The following documents are in the file, among others:
to. Letter from EQUIFAX, dated 02/22/2019, with the result of the access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF) is offered
this information:
In the section " Claims from public bodies ", there is no data.
In the section “ Legal claims ” there is an annotation: as a plaintiff, the
AEAT; as a procedure, tax debt; as No. of Order and Court, 4472761/0
ADMON. LOCAL ; as a means of publication , "Tax Agency headquarters" and the date
05/09/2016.
b. EQUIFAX responded to the AEPD's request for information on 05/14/2019. Explained that
the claimant had requested access to his FIJ data on 02/22/2019. That he
03/04/2019, the claimant requested the cancellation of his FIJ data and provided “ the
corresponding supporting documentation for said cancellation "therefore,
adds, " On 03/13/2019 the data is canceled."
Claimant 21: Report the inclusion in the FIJ of your personal data associated with
information that has been obtained from the BOE regarding alleged debts with
Public Administrations, as well as EQUIFAX's refusal to cancel the data.
It provides, among others, these documents:
to. Letter from EQUIFAX, dated 01/13/2020, with the result of the access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF), the
following information: In the section " Claims from public bodies ", there is no
data. In the section " Legal claims " it is stated:
- 1st entry: name of the plaintiff, *** CITY COUNCIL.2 ; What
procedure, tax debt; as a means of publication, " *** BOLETIN.2 "
and the date 02/12/2016.
- 2nd entry: name of the plaintiff, State Administration Agency
Tax; as a procedure, tax debt; publication medium,
" Tax Agency Headquarters " and the date 12/02/2015.
- 3rd entry: name of the applicant, State Administration Agency
Tax; as a procedure, tax debt; publication medium “Headquarters
Tax Agency ”and the date 01/28/2019.
b. Written written by EQUIFAX to the claimant, dated 01/13/2020, denying the request
cancellation of your FIJ data " since you have not provided documentation that
justify the deletion, it is not appropriate to attend to your request ” (Model of response letter
to the cancellation request, see Third Fact)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 12
12/184
c. Report of the General Secretariat of the State Agency Official State Gazette,
signed on 07/31/2019, in response to the query raised by the representative of the
complainant about the legality of collecting personal data that
publishes the BOE to create a database for profit. SG report
of the Data Protection Registry of the AEPD, dated 10/03/2019, responding to
the query raised by the claimant's representative (reference number
037917/2019)
Claimant 22: Report the inclusion of your personal data in the FIJ for a
debt with the *** ORGANISM. 4 without its authorization and without this Administration
Public has communicated their data. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 12/16/2020, with the result of the access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF) consists of the
Next information:
In the section " Claims from Public Organizations ", there is no data.
In the section " Judicial Claims " there is an incident: the name of the
plaintiff is *** ORGANISMO.4; as a procedure, tax debt; as a medium
of publication, “ *** BOLETIN.2 ” and the date 08/14/2015.
b. A letter with the rubric " Report of judicial information of EQUIFAX ", relative to
a query dated 12/11/2019 associated with the claimant's personal data in
The one that appears as the debtor, the *** ORGANISMO.4 as the plaintiff; What
status, “ embargo ” and the date of 08/14/2015.
c. Two documents with the anagram of *** ORGANISMO.4, in which under the
heading " Debt situation report " of the taxpayer -the claimant- is made
record the full payment on 12/12/2019 of two debts corresponding to the IVTM.
Complainant 23: Complaint that EQUIFAX has published in a solvency file its
data, without your authorization, obtained from public files. It provides, among others, these
documents:
to. Letter from EQUIFAX, dated 01/14/2020, with the result of access to the FIJ,
in which associated with the personal data of the claimant (name, surname and
NIF) the following information is provided: In the section " Claims
Public Organizations ”, there is no data. In the section " Claims
Judicial ” figure:
- 1st entry: name of the plaintiff, *** CITY COUNCIL.5; What
procedure, tax debt; as a means of publication,
“*** BOLETIN.10” and the date 11/06/2015.
- 2nd entry: name of the plaintiff, *** CITY COUNCIL.5; What
procedure, tax debt; as a means of publication,
“*** BOLETIN.10” and the date 05/08/2017.
b. Letter from EQUIFAX to the claimant responding to access to the FIJ. He says that he refers you
" The information associated with your identifier or your name and at the address provided
for you ” . (Sample letter of response to the request for access, see Third Fact)
Complainant 24: Complaint that EQUIFAX publishes in the FIJ personal data that has
obtained, without authorization, from public files. Provides, among others, the documents
following:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 13
13/184
to. Letter from EQUIFAX, dated 12/19/2020, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF)
the following information is provided. In the section " Claims for
Public Organizations ”, there is no data. In the section " Claims
Judicial "consists of:
- 1st entry: name of the applicant, *** CITY COUNCIL.10 ; What
procedure, tax debt; as a means of publication, *** BOLETIN.10
and the date 05/05/2014.
- 2nd entry: as the plaintiff's name appears *** CITY HALL.10;
as a procedure, tax debt; as a means of publication,
*** BULLETIN. 10 and the date 05/20/2015.
- 3rd entry: as plaintiff the AEAT; for a debt procedure
tax; as a means of publication " Tax Agency Headquarters " and the date
07/04/2016.
- 4th entry: as plaintiff the AEAT; for a debt procedure
tax; as a means of publication " Tax Agency Headquarters " and the date
10/24/2015.
- 5th entry: as plaintiff the AEAT; for a debt procedure
tax; as a means of publication " Tax Agency Headquarters " and the date
03/31/2017.
b. Letter from EQUIFAX to the claimant, dated 01/19/2020 in which he responds to the
requested access and sends you “ the information associated with your identifier or your name
and at the address provided by you ” (Sample letter of response to the request for
access, see Third Fact)
Claimant 25: Report the publication in the FIJ of information associated with your data
personal data that was published in the BOE, data processing that is not
authorized by the RGPD. They are in the file, among others, these documents:
to. Letter from EQUIFAX, dated 03/25/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information:
In the section " Claims from Public Bodies ":
- 14 annotations in which the complaining entity is, in all, the Security
Social; for debts related to the following periods of time, correlative to
each of the 14 incidents: The first, from 03 / 2016-03 / 2017. The following,
for
periods
monthly:
07/2016;
08/2016; 09/2016; 10/2016; 11/2016; 12/2016; 01/2017; 02/2017; 03/2017: 04/2017; 05
/ 2017; 06/2017 and 07/2017. As a means of publication, in the 14 incidents
consists of "*** BOLETIN.3", being the publication dates from 05/23/2016, the
Oldest, as of 03/14/2017, the most recent.
In the section "Judicial Claims " an annotation: As the name of the
plaintiff, General Treasury of the Social Security. As a procedure, I urge.
As " No. of Order and Court ", 140021/20 Unid Recau Ejec " ; as a means of
publication “ *** BOLETIN.3 ” and the date 09/09/2016.
b. The AEPD, receiving the claim and before agreeing on its admission for processing, gives
transfer of it to EQUIFAX and request information. The respondent responds on
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 14
14/184
05/21/2019 and states that after consulting the FIJ with the data of the
claimant (name, surname and NIF), there are 15 inclusions and provides the result of the
access to your data in the aforementioned file. It adds that the claim of the affected
"It lacks supporting documentation that allows the cancellation of the
data in the FIJ ”. And it says: “ The headline refers only to the fact that the new
Legal regulations in this regard do not allow the collection of this type of data from the BOE.
Consequently, the data is kept registered in the file ”. (The underline
is from the AEPD)
Claimant 26: Complaint that in the FIJ there are 12 annotations for debts with the
Social Security associated with your name whose inclusion you have not authorized and of which
has not been informed. In addition, some are older than 6 years.
They are in the file, among others, these documents:
to. Letter from EQUIFAX, dated 12/19/2018, in which it responds to the access requested by the
claimant and with which he sends the information that appears in the FIJ “ associated with his
identifier or in your name and at the address provided by you ”.
b. Letter from EQUIFAX, dated 12/19/2018, with the result of the access to the FIJ, in which the
The information provided is exclusively associated with the name and two surnames of the
claimant, but not his NIF, since the space for that data appears in
White.
In the section " Claims Public Organizations":
- 12 entries in which the " complaining entity " is, in all, Security
Social; for debts corresponding to the following periods of time:
10/2012; 01/2013; 07/2013; 11/2013; 12/2013 and from January to July 2014 by
monthly periods. As a means of publication, in the 12 incidents there is
"SSS ELECTR (...)", being the publication dates from 05/23/2016, the
Oldest, as of 03/14/2017, the most recent.
In the section " Judicial Claims " there is no information.
c. Claimant's email addressed to EQUIFAX, dated 01/28/2019, through the
that exercises the right of opposition to the publication of their data in the FIJ.
d. The AEPD, once received on 04/03/2019 the claim of the affected, before
agreeing to its admission for processing, transfer it to EQUIFAX requesting
information on the facts denounced.
The respondent responds on 05/29/2019 and states: That " After consulting the file
[FIJ] of the data of Mr. [name and two surnames of the claimant] on 05/29/2019
there are 10 registered incidents associated with the owner's address *** ADDRESS.1.
Access to the file with said information is provided as document two ”. EQUIFAX
says that in the aforementioned document it can be verified that the
incidents older than 6 years referred to by the claimant (The
underlined is from the AEPD) In ​​the result of the access to the FIJ that the
claimed -document two-, as was the case with the access provided on 12/19/2018
to the claimant, the claimant's NIF does not appear, but only his name and two
surnames.
Regarding the request for opposition / cancellation made by the claimant, the
01/28/2019 and the refusal of the claimed to cancel the annotations, responds to the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 15
15/184
AEPD that “ lacked supporting documentation that would allow carrying out the
cancellation of data in the ... ” FIJ. It adds that “ The owner alleges only some
aspects of the legal regulations to prove its cancellation. Consequently,
data is kept registered in the file. It is necessary that you contribute
documentation proving payment or certificate issued by the body
claimant, in this case the General Treasury of the Social Security, in which the
specify to be up to date with the payment ”.
Complainant 27: Complaint that in 2017 BANKIA informed him of the inclusion of
your data in the FIJ denying you the requested financial operation. He then exercised the
right of access to EQUIFAX, which replied that there were no data
your personals included in the aforementioned file. However, in February 2019 his
financial entity BANKIA continues to view your data as a debtor through the
information provided by the FIJ. In particular, there is your NIF associated with the name and
Last name of a person with this name: BBB. They work in the file, between
others, the following documents:
to. Letter from the SAC of BANKIA, dated 11/29/2018, addressed to the claimant in which
informs that the data contained in the "BIJ" are not included by that entity.
b. EQUIFAX's response, dated 05/29/2019, to the information request that
directed the AEPD prior to the admission for processing of this claim.
The respondent responds with respect to the facts presented by the claimant:
-That on that date no data is registered that could be associated “ to your
Name and address". It adds that “there are several incidents registered on behalf of
[name and two surnames of the claimant], two of them associated with other DNIs that do not
correspond to Mr. CCC and another associated with a totally different address than
those that the affected person facilitates in their claim ”He adds that “ if you wish to be consulted in
other addresses in which he may have previously resided, and thus verify with
whether or not it is data associated with your identity, you must facilitate a relationship
of the same ”. (The underlining is from the AEPD)
-There are in their systems two files managed for the claimant (which
identifies by name, two surnames and the NIF) with the references 2018/54322 and
2019/40848. Regarding the first of them, he indicates, among other questions, that in the
letter issued by INFORMA that the claimant sent him was also communicated
that " they had no data associated with their name and address in the FIJ." With respect to
second of the files processed, from 2019, EQUIFAX says: “ In the latter in
Specifically, he was told that there was no data associated with his name and address, and
that if he had resided in other addresses where he wanted to be consulted, he should
to send us a request expressly mentioning them ”. He adds : "As I know
you can check in the searches carried out for the [FIJ] there are incidents
listed in the name of " CCC " but are associated with identifiers and / or addresses
that do not correspond to those provided by the owner ”.
-Provides a screenshot showing six name records and
surnames and no NIF or NIE linked to them. Of the six records, the first three
fully coincide with the data of the name and surname of the claimant and for
one of the three registries also provides an address that is located in
*** LOCALITY . 2. The remaining three records differ from the data of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 16
16/184
claimant, exclusively, in that they incorporate a middle name - thus, in addition to
X , given name is XV, XY , or XZ -One of these three records includes an address
in *** LOCALITY. 3.
Claimant 28: Report the inclusion of their data in the FIJ and the refusal of the
claimed to attend the requested cancellation, despite the fact that it documented
the absence of debt.
The AEPD, once the affected party's claim has been received on 04/04/2019, before
agree to its admission for processing, transferred it to EQUIFAX and requested information
on the facts denounced. The respondent responds on 05/30/2019. They work in the
file, among others, these documents:
to. Written with the EQUIFAX anagram, dated 04/01/2019, with the result
of access to the FIJ, in which associated with the claimant's personal data
(name, surname and NIF) this information is provided:
In the section " Claims from Public Bodies ":
- 13 annotations in which the claiming entity is Social Security;
in the first 6 annotations for debts corresponding to periods
monthly and correlative between 5/2013 and 10/2013; in the
remaining, for non-correlative monthly periods, the oldest of 12/2013 and
the most recent from 8/2017. As a means of publication in the top 10
annotations figure " SSS ELECTR (...)" and in the last 3 "*** BOLETIN.3". The
oldest publication date is 08/19/2013 and the most modern of
11/03/2017.
In the section "Judicial Claims" are included:
- 1st entry: as plaintiff appears the TGSS; as a procedure, Urgency;
as a means of publication " SSS ELECTR (...) " and the date 02/05/2014.
- 2nd entry: as plaintiff the TGSS appears; as a procedure, Urgency;
as a means of publication *** BULLETIN.3 and the date 08/21/2018.
b. Letter from EQUIFAX to the claimant, dated 04/01/2019, informing him that no
can attend your request to cancel FIJ data " because you have not provided
documentation justifying the deletion ”.
c. Three certificates issued by the TGSS and electronically signed on 03/26/2019;
04/01/2019 and 04/02/2019, which state that the claimant, identified by his
name, surname, NIF and NAF, is up to date with Security obligations
Social. These three certificates were sent by the claimant to EQUIFAX in order to
that your FIJ data was canceled and your copy has been provided to
this Agency by EQUIFAX with the response to the information request made by the
AEPD.
d. Several emails sent by the claimant to EQUIFAX, dated
04/01/2019, 04/02/2019 and 04/09/2019, in which you requested the cancellation of your data
of the FIJ and a letter sent by the claimant to EQUIFAX by postal mail, with
identical purpose that bears entry stamp at the headquarters of the claimed entity on
04/01/2019.
and. Document provided by EQUIFAX in which the name and surname of the
claimant in two sections: in one of them, the data is associated with your NIF and
your postal address. In another section, your name and surname are not linked to the NIF
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 17
17/184
some, but yes to an address in the town of *** LOCALIDAD.4 in the province of
*** PROVINCE . 1.
F. Letter from EQUIFAX dated 05/30/2019 addressed to this AEPD responding to their request
of information. It says that the claimant provided supporting documentation, issued by
Social Security, for said cancellation and that " After consulting the registered data
in the [FIJ] it is verified that there are two annotations in the name of [the claimant], one
of them associated with their DNI and another associated with an address and a NAF number that does not
corresponds to those provided by the owner in his request. Therefore, we proceed to
cancel only the entry associated with your ID dated 04/10/2019. " (The
underlined is from the AEPD)
Claimant 29: Denounces the publication in the FIJ of their associated personal data
to debts with Public Administrations. It highlights that the information had
published in the BOE; that the file sets a period of 6 years to cancel the
annotations and that many of the debts attributed to him are from the years 2012 and
2014, some are prescribed and others appealed. They work in the file, among others,
this documents:
to. Letter from EQUIFAX, dated 03/07/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF),
provide this information:
In the section " Claims from Public Bodies ":
- 3 entries in which the claiming entity is Social Security; for
debts corresponding to the following periods, respectively, 4/2014,
5/2014 and from 07/25/2014 to 10/21/2014. The means of publication is, for the three
incidents, "SS S ELECTR (...) " and the publication dates 07/25/2014,
08/26/2014 and 10/21/2014.
In the " Judicial Claims " section:
- 1st entry: *** ORGANISMO.1 appears as plaintiff ; What
procedure, tax debt; as a means of publication, “*** BOLETIN.5 ” and the
date 07/21/2014.
- 2nd entry: applicant the *** CITY COUNCIL.1; procedure, debt
tax; means of publication *** BULLETIN.1 and the date 11/20/2013.
- 3rd entry: applicant the *** ORGANISMO.1 ; tax debt procedure;
publication medium “ *** BOLETIN.5 ” and the date 01/13/2014.
- 4th entry: plaintiff the General Treasury of the Social Security;
Urgency procedure; publication medium *** BULLETIN.1 and date
02/13/2016.
- 5th entry: applicant on *** CITY COUNCIL.10; procedure, debt
tax; means of publication *** BULLETIN.11 and the date 04/13/2018.
b. Written by EQUIFAX dated 03/07/2019 in which it denies the claimant the
cancellation of your FIJ data “ because you have not provided documentation that
justify the deletion ”. (Sample letter denying cancellation, see Antecedent
Third)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 18
18/184
c. The AEPD, receiving the claim and before agreeing on its admission for processing, gives
transfer of it to EQUIFAX and request information. The respondent responds on date
06/14/2019 and states: “ Currently, and after consulting the [FIJ] of the data [name
and two surnames of the claimant], holder of the DNI [the claimant's NIF], we indicate
that as of 06/14/2019 we have not registered any incident associated with your
name and surname and your address ”. (The underlining is from the AEPD) In ​​this sense
provides screenshots of your files in which there are no incidents
linked to the claimant.
EQUIFAX does not explain the reason why it is now dealing with the cancellation.
The entity states that the claimant made five requests for cancellation of its
FIJ personal data that led to the processing of the corresponding
files. Provide a copy of the cancellation requests, dated 03/06/2019,
03/07/2019, 03/08/2019, 03/14/2019 and 03/17/2019, and the files managed.
It warns that in all of them the owner exercised the right of cancellation without providing
any type of supporting documentation that justifies the cancellation of the data
registered in said file, " hence the data was kept registered".
Complainant 30: Complaint that you have requested EQUIFAX to cancel your data
of the IJF on dates 02/25/2019 and 03/12/2019 responding on both occasions the
claimed -on dates 02/26/2019 and 03/12/2019- that there are no data in his name.
However, your financial institution continues to view through the FIJ that they consist
debts associated with your personal data. It provides, among others, these documents:
to. Screenshot obtained on 02/27/2019 from the monitor of the banking agent who denied the
funding requested. In the screenshot, under the heading “ Summary of
judicial information ”, the consultation date is 02/27/2019; in section
"NIF / CIF" contains the NIF of the claimant; in the " Name / Company name " section,
" EEE" ; in the section " No. of judicial incidents " " 3 ". These three are referred to
incidents: As " Procedure " appears " Tax Debt "; as " Status"
"Embargo" ; as "Plaintiff" the " State Tax Administration Agency" and,
respectively, the dates 07/23/2013, 10/23/2017 and 11/25/2015.
It also provides a screenshot obtained from the monitor of the banking agent that
denied the requested financing in 2018. The information on this page is identical to the
above with the exception that the date of the consultation appears on 08/21/2018.
b. Certificate issued by the AEAT at the request of the claimant -identified by his NIF,
name and two surnames, DDD - electronically signed on 08/24/2018, which leaves
proof that the applicant is up to date with his obligations
tributary. The validity of the certificate is twelve months from the date of its
expedition.
c. Letter from EQUIFAX dated 02/26/2019 in which it responds to the cancellation
requested by the claimant on 02/25/2019 and informs him that "there is no data
registered persons associated with your identifier / name and at the address provided by you ”.
d. Letter from BANCO SANTANDER, SA, which bears the stamp of the entity with
indication of the branch number and the date 10/03/2018, which indicates that no
been able to grant credit facilities to the EEE client , with NIF [the NIF of the
claimant] upon finding in his name 3 judicial incidents pertaining to the
State Tax Administration Agency between 2013 and 2017.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 19
19/184
and. The AEPD, received the claim and before agreeing on its admission for processing, gave
transfer of her to EQUIFAX and requested information. The respondent responds on
07/01/2019 that “ the result of the search in the [FIJ] of D. EEE data is
negative ”. It acknowledges that the claimant's NIF was associated with a name - EEE -
that it was not yours - DDD - and that, due to this incident, “ and since the
searches of the judicial file are managed by name and surname ”were not located
data associated with the claimant in the files processed by virtue of their
cancellation requests. It adds that on 07/01/2019 the
claimant data.
Claimant 31: Report the inclusion of your data in the FIJ for alleged debts
with the *** CITY COUNCIL. 3, of which it has received news through its bank
caria, without the inclusion having been notified by EQUIFAX or the City Council
the creditor has informed you of its existence. They work in the file, in-
Among others, the following documents:
to. Two writings from EQUIFAX, dated 11/05/2018 and 12/12/2018, respectively,
with the information that appears in the FIJ, associated with the NIF, name and two surnames of the
claimant. The information is identical in both writings. In the section “ Claim-
tions of Public Organizations ” there are no data.
(In the section " Judicial Claims" :
- 2 annotations: Name of the plaintiff, *** CITY HALL. 3 ; process,
Tax debt; publication medium, *** BULLETIN. 3. The publication date is
on 04/05/2013 and 05/20/2014, respectively.
b. Letters from EQUIFAX, dated 11/05/2018 (file reference number
2018/251714) and of 12/20/2018 (file number 2018/285508) in which res-
ponder the claimant's requests so that, respectively, proceed to cancel
your FIJ data and provide you with information about the annotations that appear in the fi-
le associated with your data. EQUIFAX denies the requested cancellation " since
it has not provided documentation to justify the deletion ”. (Model letter transcribed
in Third Fact)
c. The AEPD, upon receipt of the claim and before agreeing on its admission for processing, gives
next to her to the claimed one and asks for information. EQUIFAX responds on 06/18/2019
that there were two files in which the claimant had exercised the right to
cancellation on the FIJ, but without providing any type of supporting documentation
that justifies the cancellation of the data recorded in it, hence the data is
kept registered, and then communicates that on that same date, 06/18/2019,
has proceeded to cancel the information that appeared in the FIJ associated with the claimant
therefore, he says, “ there is no other data registered in the [FIJ] associated with the
name / identifier and address of the claimant ”.
Claimant 32: Denounces the publication of your personal data in the associated FIJ
to debts with Social Security that are already satisfied. It provides, among others, these
documents:
to. Certificate from the General Treasury of Social Security, signed
electronically on 04/08/2019, which states that the identified person
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 20
20/184
with name, two surnames and tax identification number of the claimant and the NAF *** DATO.2 is
find up to date with payment. No documentation is provided of the annotations that
work in the FIJ linked to your data. The claimant provides as address one
located at *** ADDRESS. 2.
b. The AEPD, receiving the claim and before agreeing on its admission for processing, gives
transfer of it to EQUIFAX and request information. The respondent responds on
06/19/2019 and makes these statements that we transcribe:
“(...) After consulting the file of ... [FIJ] of the data of Ms. [the claimant], owner of the
DNI [that of the claimant], indicate that as of 06/19/2019 there were two registered
annotations, one of them associated with the address of *** ADDRESS.3 and the NAF [the
same digits of the claimant's NAF] with debts to Social Security, and another of
them associated with the NIF of the holder, with debts of the Provincial Council and the
*** CITY COUNCIL. 1. We provide the result of access to the file with the data of
reference to date 06/19/2019. "
The result of access to the FIJ that EQUIFAX sends to this Agency has, on the date
06/19/2019, the following characteristics:
(i) Annotations for debts with Social Security are associated,
exclusively, the name and two surnames of the claimant. The space for
NIF is empty. The following annotations appear exclusively linked to the
Name and two surnames of the claimant:
In the section " Claims from Public Bodies" :
- 5 entries in which the claiming entity is, in all, the Social Security;
for debts, respectively for each entry and monthly,
from January to May 2018, inclusive. The medium of publication, in all of them, is
“ *** BOLETIN.1 ” in the months of April, May and June 2018.
In the " Judicial Claims " section:
- 1 entry: TGSS appears as the applicant's name; What
procedure, constraint; as a means of publication, *** BOLETIN.1 ”and the date
04/18/2018.
(ii) EQUIFAX provides another document with the information that appears in the FIJ to date
06/19/2019. In this case, it is associated, in addition to the name and surname of the
claimant, also to your NIF.
In the section " Claims from Public Bodies" there are no data.
In the " Judicial Claims" section there are 2 annotations:
- 1st entry: Name of the applicant, *** ORGANISMO.3 ; process,
Tax debt; means of publication *** BULLETIN.1 and the date 05/27/2019.
- 2nd entry: Name of the plaintiff, *** CITY COUNCIL.1; process,
Tax debt; as a means of publication, *** BULLETIN.1 and the date
04/27/2017.
EQUIFAX states in the letter it addressed to the AEPD on 06/19/2019, responding to
the informative request, that “ On 06/19/2019, all
the data registered in the file of Legal Incidents and Claims of
Public Bodies associated with the owner, Ms. [claimant] ... ” And it provides captures of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 21
21/184
screen of their systems in which it reflects the cancellation of all data. Attached
also a copy of the letter sent to the complainant in which he stated: " Le
We inform you that we have proceeded to delete the data related to your claim,
associated with your identifier / name and at the address provided by you ” (The
underlined is from the AEPD)
Complainant 33: Complaint that he has paid the outstanding fines to the
*** CITY COUNCIL. 3 ; that in the internal files of the City Council already appears without
debts and that, despite this, your data continues to be included in the FIJ "so that either the
The City Council or EQUIFAX is responsible for not having updated data
confidential information about my creditworthiness ”. Provide as address one located in
*** ADDRESS. 4.
to. The AEPD, receiving the claim and before agreeing on its admission for processing, gives
transfer of it to EQUIFAX and request information. The respondent responds on
06/19/2019 in the following terms that are transcribed:
“... after consulting the [FIJ] of the data of [the claimant ] holder of the DNI [that of the
complainant ] we indicate that as of 06/19/2019 there is no registered
incident associated with your name / identifier and your address. However, if the owner
would have resided in other addresses where he would like to be consulted, since in the
file contains annotations in the name of [the name and two surnames of the claimant]
associated with addresses other than those provided for this claim,
you can send us a request expressly mentioning them ”. (The underline is
of the AEPD)
Claimant 34: Report the inclusion of your personal data in the FIJ. Provides, between
others, these documents:
to. EQUIFAX's letter dated 04/08/2019 containing your personal data
(name, surname and NIF) associated with the following information. In section
"Claims from Public Organizations " no data. In section
" Judicial Claims ":
- 1st entry: applicant the *** ORGANISMO.5; as procedure, debt
tax; as a means of publication, “*** BOLETIN.10” and the date 03/28/2016.
- 2nd note: State Tax Administration Agency; procedure, debt
tax; publication medium, " Tax Agency Headquarters" and the date 02/03/2017.
- 3rd entry: State Tax Administration Agency; procedure, debt
tax; publication medium, " Tax Agency Headquarters " and the date 02/24/2017.
b. Letter from EQUIFAX to the claimant, dated 04/08/2019, in which he responds to the
requested access. (Model letter response to request for access, transcribed in Fact
Third)
c. The AEPD, receiving the claim and before agreeing on its admission for processing, gives
transfer of it to EQUIFAX and request information. The respondent responds on
07/01/2019 and confirms that, in the FIJ, associated with the name, surname and NIF of the
Claimant listed several incidents. They are the same as reflected in the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 22
22/184
EQUIFAX information dated 04/08/2019.
Complainant 35: Complaints that the inclusion of their data in the FIJ violates both the
LOPD as the RGPD. He states that he was not informed of the inclusion of his data in
the file; that there has not been a mandate from the creditor for their data to be included
in the FIJ; that the debt is non-existent, since it is paid; that according to information
provided by the SAC of AEBOE may only consult your data in the BOE if
have been published in the preceding three months, otherwise requesting the
information prior accreditation of your identity. He adds that EQUIFAX did not attend to his
cancellation request. It provides, among others, these documents:
to. Writings from EQUIFAX dated 04/05/2019 and 09/0472019 with the information
associated with your name, surname and NIF -identical in both documents- that appears
in the FIJ. In the section " Claims Public Organizations":
-
2 annotations in which the Social Security claimant is recorded, for
debts corresponding to the periods 09/2014 and 10/2014, respectively;
as publication medium, “ SS S CTR (...)” and as publication date, for
both entries on 01/13/2015.
In the "Judicial Claims" section:
- An annotation: as plaintiff the TGSS; as a procedure, Urgency; What
medium of publication, *** BOLETIN.3 and as of publication date 05/23/2016.
b. TGSS Certificate of " Being up to date on Security obligations
Social ” , signed electronically on 04/09/2019 and associated with the data of the
claimant (name, two surnames, NIF and NAEF).
c. Letter from EQUIFAX, dated 04/09/2019, in which he responds to a request for
cancellation of FIJ data, dated 04/05/2019, which denies inasmuch as, it says, the
claimed has not proven to be up to date with the payment. EQUIFAX letter, dated
04/22/2019, in which it informs the claimant that it has responded to her request for
cancellation dated 04/09/2019 and it has proceeded to cancel the FIJ "the data
associated with your identifier / your name and the address provided by you ”.
d. AEBOE Customer Service email sent to the
claimant. On 01/18/2019 informs you in the following terms:
“If your notification has been published in the last three months, you can consult it
using
the
seeker
of
BOE:
https // www.boe.es / tablon_edictal_unico / notifications.php. "
"To check your previous notifications, you can access with a digital certificate,
to the
service
"My
advertisements
from
notification"
https // www.boe.es / tablón_edictal_unico / Notifications_historico.php. " This service will
allows access without time limit, to the notification announcements that incorporate
your NIF, whether it is a natural person or a legal person or entity.
To do this, you must first identify yourself through the CL @ VE system (...) "
“Another option is to recover you. your notifications with a digital certificate to
through the citizen folder ... "
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 23
23/184
“If you want the Citizen Attention Service to process your request, and since
Notification data is of a personal nature, we need you to request it at
Citizen Attention Service (www.boe.es/info) making the request and
Attaching a photocopy of your ID, the date of publication and the body that sent you the
notification if you know them. If you are acting on behalf of a notified person, you must send us,
in addition, the authorization of the affected person "
Claimant 36: Report the inclusion of your personal data in the FIJ for debts
that are not true and the entity's refusal to comply with the right to delete
your data. They are in the file, among others, these documents:
to. Letter from EQUIFAX dated 10/18/2018 addressed to the claimant with the following text: “ Le
We inform you that on that date we have proceeded to register in the Incidents file
Judicial and Public Bodies Claims the information that a
then we point out: " Court / Agency" "TGSS"; "Subject- DSS"; "Source
of the information Official State Gazette ”; "Date 10/18/2018 ".
The letter is addressed to the same address that the claimant has provided to this Agency if
either the data of the block number of the house is missing in it. The letter identifies
the claimant by name and two surnames, but there is no NIF, NIE or NAF.
b. TGSS certificate, electronically signed on 10/30/2018, called
" Report of being up to date with Social Security obligations " regarding the
claimant, identified by his name, two surnames, NIF and NAF.
c. Claimant's letter to EQUIFAX, whereby he exercises the right to
deletion of your data, with which you attach the certificate issued by the TGSS, and
Proof of shipment addressed to the claimed person through certified mail
on 11/21/2018.
d. The AEDP, received the claim and before agreeing on its admission for processing, gave
Transfer of her to the claimed one on 06/27/2019 and requested information. EQUIFAX
Respond on 07/02/2019. You acknowledge that you received the request for deletion from the claimant
on 11/21/2018 as well as the TGSS Report that accredited that it was at the
current payment in Social Security obligations.
It states that “ Said request was attended, proceeding to cancel the data
registered in said files on December 7, 2018 ”. Nevertheless,
EQUIFAX, in the same document, makes other claims - that the documentation
which it annexes confirms that they radically contradict the previous one. In the same
Written statement states that it responded to the claimant's request for cancellation of 11/27/2018
" Indicating that it was necessary for him to send a copy of his ID to attend to his request."
Provide a letter dated 12/07/2018 addressed to the claimant - sent by mail from
12/10 / 2018- in which it says: “We regret to inform you that it has not been possible to accredit
the identity of the interested party. We ask that you provide additional documentation that
can confirm your identity, as a legible photocopy on both sides of the
DNI / NIF / CIF and proceed to attend to your cancellation request "
Provide a document with the result of access to the FIJ on 11/27/2018. Call the
Attention that the annotations (two incidents for claims of the Security
Social) are exclusively associated with the name and two surnames of the claimant. The
The space for the NIF is empty.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 24
24/184
Claimant 37: Complaint that EQUIFAX attributes a debt to the Security
Social that is non-existent, extreme that has been accredited through a certificate of the
TGSS. The following documents are in the file:
to. TGSS certificate, electronically signed on 05/23/2019, certifying that the
person identified with the name, surname and NIF of the claimant is aware of
payment in Social Security obligations.
b. The AEPD, having received the claim, before agreeing on its admission for processing, gave
Transfer of her to EQUIFAX on 06/19/2019 and requested information. The
The complainant responds on 06/21/2019 and states: “ Currently, after consulting the [FIJ]
of the data of Mr. [the claimant] holder of the DNI [the claimant's NIF], we indicate
that as of 06/21/2019 there are no incidents associated with your
name / identifier and your address ”. (The underlining is from the AEPD)
EQUIFAX claimed to have received two access / cancellation requests from the claimant.
One, which led to expediten 2019/119599, which was rejected for not having
provided supporting documentation for the deletion of the data. Another, received on
05/25/2019, with which he provided a certificate issued by the TGSS, and as
Consequently, he proceeded to cancel the data on 06/04/2019.
c. They work in the file, provided by EQUIFAX, the copy of various emails
electronic messages that the claimant sent to the respondent requesting the deletion of their
data. In all of them, he states that he sends him a Social Security certificate that
it would prove that the debts attributed to it do not exist. They are all aimed at
sac@equifax.es on 05/17/2019; 05/20/2019 and 05/25/2019.
d. EQUIFAX document with the result of access to the FIJ associated with the name,
surname and NIF of the claimant. The documents, identical to each other, are of different
dates, 05/21/2019 and 05/27/2019, and contain this information:
In the section " Claims from Public Bodies ":
- 17 annotations in which the complaining entity is, in all, the Security
Social; for monthly periods -from 08/2014; 11/2016; and the remaining fifteen by
successive months between 01/2017 and 03 / 2018-; the middle of
publication is, in all cases, *** BULLETIN. 8 and the publication dates the
11/17/2014 the first and 05/28/2018 the last.
In the " Judicial Claims " section there is an annotation: As plaintiff
figure the TGSS; as a procedure, Urgency; as a means of publication, “SS S
ELECTR (...) ”and the date of publication 03/30/2015.
Claimant 38: Complaint that EQUIFAX has included it in a file of defaulters for
debts that are not true because they have already been paid. They work in the file, between
others, these documents:
to. Report issued by the *** ORGANISM . 6. , signed on 05/17/2019, which certifies that
The taxpayer -the claimant, identified by her name, two surnames and NIF- does not
has outstanding debts with the *** CITY COUNCIL. 11.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 25
25/184
b. Written with the EQUIFAX anagram, dated 05/17/2019, with the information that
It appears in the FIJ on that date associated with the name, two surnames and NIF of the
claimant. In the section " Claims from Public Organizations ", there is no data.
In the " Judicial Claims " section there is an annotation: As an entity
plaintiff figure *** CITY HALL. 11 ; as a procedure, tax debt;
As a means of publication, *** BULLETIN. 12. and the date of publication 06/18/2018.
c. Letter from EQUIFAX addressed to the claimant, dated 05/27/2019, in which
responds to the cancellation of your FIJ data that you had requested and informs you that
“ After the pertinent checks, we have proceeded to remove the file [FIJ] of
the data related to your claim, associated with your identifier / your name and the
address provided by you ”.
d. The AEPD, having received the claim, and before agreeing on its admission for processing, gave
Transfer of her to EQUIFAX and requested information on 06/19/2019. The
claimed responds on 06/21/2019 and states that on 05/16/2019 he received a request for
cancellation of the claimant with whom he provided supporting documentation of the
non-existence of debt, therefore, on 05/27/2019, the cancellation of the
the annotation.
Complainant 39: Complaints that EQUIFAX has included their data in the FIJ without their
consent with information obtained from the BOE, in breach of both the LOPD and
the GDPR. It provides, among others, these documents:
to. Letter from EQUIFAX addressed to the claimant, dated 05/14/2017, in which he responds
to the request for cancellation of your FIJ data, which was registered in its offices on
05/13/2019, in which he communicates that “since he has not provided documentation that
justify the deletion, it is not appropriate to attend to your request ”.
b. Letter from EQUIFAX, dated 05/14/2019, with the information contained in the FIJ
associated with the name, two surnames and NIF of the claimant. In section
" Claims of Public Organizations", there is no data. In section
" Judicial Claims " two annotations are collected:
- 1st entry: Name of the plaintiff, *** CITY COUNCIL.3; process,
Tax debt; Publication medium, *** BULLETIN. 3 and the date 08/30/2017.
- 2nd entry: Plaintiff, AEAT; procedure, tax debt; source of
publication, " Tax Agency Headquarters " and the date 06/08/2016.
Complainant 40: Report that your personal data has been included in a file
of capital solvency for a debt with the City Council that was paid in
time and form. It accredits that it has no outstanding debts with the City Council. The
Claimant provides, among others, these documents:
to. Written with the EQUIFAX anagram, dated 05/30/2019, with the information that
It appears in the FIJ associated with your name, two surnames and NIF. In section
" Claims of Public Organizations ", there is no data. In section
" Judicial Claims ":
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 26
26/184
- An annotation: Plaintiff the *** CITY COUNCIL.12; procedure, debt
tax; medium of publication, *** BULLETIN.3 and the date of publication
01/08/2016.
In the " History of Queries " it is reported that queries were made in the
following dates: 05/29/2019; 05/28/2019; 12/13/2019; 12/10/2018 and 12/09/2018.
b. Letter from EQUIFAX, dated 06/10/2019, responding to the opposition exercised by the
claimant to have their data published in the FIJ. EQUIFAX claims that there are no
registered data associated with your identifier / name and at the address provided by the
claimant and that “ we are not aware that your data has been consulted by any
entity in the last six months ”. (The underlining is from the AEPD)
Claimant 41: You report the inclusion of your data in the FIJ without your consent and
that, despite having requested EQUIFAX to cancel the entry and having
provided for this purpose the copy of the judicial resolution that accredited the extinction of the
debt, has refused to attend the cancellation. It provides, among others, these documents:
to. Order of the Court of First Instance No. 3 of (...), of 06/02/2017, issued in the
Ordinary Bankruptcy procedure 115/2017, section B, which declares the
claimant -identified by his name, two surnames and NIF- in " contest of
consecutive creditors ” and provides for the“ publication of this resolution (...) in the
Public Insolvency Registry and in the Official State Gazette and, for this purpose,
they will send the corresponding edicts with the indispensable mentions that
establishes article 23.1 of the LC (...) In addition, an edict will be posted on the notice board.
announcements of this judicial body ”.
c. Order of the Court of First Instance No. 3 of (…), relapsed in the procedure of
Consecutive Contest 115/2017 B, dated 04/09/2019, which "Agrees to the conclusion
of the bankruptcy proceeding with respect to Ms [the claimant] and the granting of the
bankrupt of the benefit of definitive exoneration of the unsatisfied liability,
proceeding to file the cars ". (The underlining is from the AEPD)
d. Letter from EQUIFAX, dated 05/30/2019, with the information that appears in the FIJ
associated with the data of the claimant -name, two surnames and NIF-. In section
" Claims of Public Organizations ", there is no data. In section
"Judicial Claims " consists of:
- An annotation: The identity of the plaintiff does not appear; as a procedure
indicates " voluntary contest"; “No. of Order and Court” 115/2017, First Instance;
means of publication, Official State Gazette and date 11/06/2017.
and. Letter from EQUIFAX to the claimant, dated 06/08/2019, responding to her request for
cancellation of your FIJ data, dated 05/30/2019, in which you are notified that “no
It is appropriate to attend to your request "" since you have not provided documentation that justifies
the suppression ”.
Complainant 42: Report the violation of your right to data protection. Ha
been included in the FIJ delinquent file and the requested cancellation has been denied.
These documents are in the file:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 27
27/184
to. Letter from EQUIFAX, dated 03/18/2019, with the information that appears on that date
in the FIJ associated with the claimant's personal data (name, two surnames and
NIF). In the section " Claims from Public Organizations ", there is no data. In the
section " Judicial Claims":
- 3 annotations: In all of them the name of the plaintiff is the
*** CITY COUNCIL. 13; as a procedure, tax debt; as " No. of Auto
and Judged ”, it appears, respectively for each entry,“ 2743575/0
Local Administration ", " 3129072/0 Local Administration " and
"826/000
Local Management". The publication medium is, for all annotations,
*** BULLETIN. 13 and publication dates are, respectively, 10/15/2014,
03/25/2015 and 04/16/2014.
b. Letter from EQUIFAX to the claimant dated 03/18/2019 in which he responds to
the request for access to your data in the FIJ according to the usual letter model
used by the entity.
c. Certificate issued by the Secretary of the *** CITY COUNCIL. 13, signed on
03/08/2019, which attests that the claimant -identified by his name, two surnames
and NIF- is up to date with the payment of its tax obligations.
d. The AEPD, having received the claim, and before agreeing on its admission for processing, gave
Transfer of her to EQUIFAX and requested information on 08/12/2019. The
claimed responds on 08/14/2019 and states that on 06/30/2019 the claimant requested
the cancellation of your FIJ data and that on 07/09/2019 we proceeded to give
download your data from the file and answer you. Attach a copy of the claimant's email from
date 06/30/2019 with which he provided a copy of the certificate issued by the
Allegedly creditor city council.
Complainant 43: Complaint that he received in August 2019 a letter from EQUIFAX -with
the reference number 740 / JU1908006269- informing you that your personal data had
been included in the FIJ. It adds that, after having exercised the "ARCO" rights
and having sent the required documentation to the respondent, has not received a response despite
more than a month has passed since your request. It provides, among others, these
documents:
to. Letter from EQUIFAX with reference number 740 / JU1908006269, sent by mail
postal address to the same address that appears in the copy of the claimant's DNI. The letter goes
addressed to Mr. GGG ., is dated 08/22/2019 and in it informs him that in that
date, this information associated with your data has been registered in the FIJ:
as " Court / Body " " Provincial Council "; as " Subject " tax debt; What
" Origin of the information " Official State Gazette and the date 08/21/2019.
b. The copy of three emails that the claimant sent to the EQUIFAX SAC, dated
09/05/2019, 09/16/2019 and 09/27/2019. In the first of them, with which he annexed a
A copy of your ID, requested access to your FIJ data. In the other two, it was limited to
remind the respondent of the request made and the time that had elapsed without
receive reply.
Claimant 44: Report the inclusion of your personal data in the FIJ linked to
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 28
28/184
an alleged debt with the AEAT without EQUIFAX having verified the certainty of the
debt with the Public Administration and without being notified of the inclusion. Add
that you refuse to cancel your data from the FIJ. It provides, among others, the following
documents:
to. Written with the EQUIFAX anagram, dated 10/09/2019, with the information that appears
in the FIJ associated with your name, two surnames and NIF. In the section " Claims
of Public Organizations ”, there is no data. In the " Judicial Claims " section:
- An annotation: The name of the plaintiff is the AEAT; the procedure, debt
tax; the publication medium, " Tax Agency Headquarters " and the date
01/27/2017.
b. Letter from EQUIFAX to the claimant dated 10/09/2019 (file with reference
2019/225056), in which it denies the requested cancellation “ since it has not
provided documentation that justifies the deletion ”.
c. Email sent by the claimant to the EQUIFAX SAC on 10/09/2019
requesting the exclusion of your data from the files of the claimed with which you send
copy of your residence permit.
Complainant 45: Complaint that EQUIFAX has included their data in the FIJ linked to
alleged debts with the *** CITY COUNCIL. 12. Explain that you heard about your
inclusion on 10/19/2019 and that previously did not receive any communication
informing you of its inclusion. Provide these documents:
to. Written with the EQUIFAX anagram, dated 11/19/2019, with the information that
It appears in the FIJ associated with your name, two surnames and NIF. In section
" Claims of Public Organizations", there is no data. In section
" Judicial Claims ":
- 3 entries: The name of the plaintiff is, in the first entry, the
*** CITY COUNCIL.14 and in the second and third the *** CITY COUNCIL.12;
As a procedure, the three entries include " tax debt "; the middle
of publication is, respectively *** BULLETIN.14 and *** BULLETIN.15 and the dates
02/09/2015 for the first and 12/05/2018 for the second and third.
b. Letter from EQUIFAX to the claimant, dated 11/19/2018, (file with reference
2019/257542) in which it responds to the request for access (Sample letter of
response to the requested access, transcribed in the Third Fact)
Complainant 46: Complaint that EQUIFAX has published their personal data in the FIJ
violating data protection regulations, so he requests that they be
canceled. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 10/21/2019, with the information contained in the FIJ,
on that date, associated with your personal data -name, two surnames and NIF-. In the
section " Claims from Public Bodies ", there is no data. In section
" Judicial Claims ":
- 2 entries: In both, the plaintiff's name is AEAT; The procedure,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 29
29/184
Tax debt; the means of publication, " Tax Agency Headquarters " and the date,
respectively, on 12/02/2014 and 03/05/2014.
b. Letter from EQUIFAX addressed to the claimant, dated 10/21/2019 (number of
file of the claimed 2019/235237), in which it responds to the access to the data
listed in the FIJ. (Sample letter of response to the requested access, transcribed in
the Third Fact)
Complainant 47: Complaint that EQUIFAX has published their personal data in the FIJ
violating data protection regulations, so he requests that they be
canceled. Provides, among others, the following documents:
to. Letter from EQUIFAX, dated 10/21/2019, with the information that, associated with the
personal data of the claimant -name, two surnames and NIF- appears in the FIJ in
That date. In the section " Claims from Public Organizations ", there is no data. On
the section " Judicial Claims ":
- 5 inclusions: In all of them the applicant appears as
*** CITY COUNCIL. 3; as a procedure, tax debt; as a means of
publication, “ Tax Agency Headquarters ” and the date, respectively, 12/02/2014 and
03/05/2014.
b. Letter from EQUIFAX, dated 10/21/2019 (file number of the claimed
2019/235205), in which it responds to the access requested by the claimant to the data
listed in the FIJ. (Sample letter of response to the requested access, transcribed in
the Third Fact)
Complainant 48: Complaint that EQUIFAX has included your personal data in the FIJ,
linked to an alleged debt with the *** CITY COUNCIL . 7. The City Council has
certificate that there are no debts in your name. Provide these documents:
to. Letter from EQUIFAX, dated 08/24/2019, bearing the reference
740 / JU1908006464, in which it informs you that on 08/23/2019 the
to register the following information in the FIJ: " Court / Agency ",
*** CITY COUNCIL. 7; " Subject", tax debt; " Origin of the information ", Bulletin
Official of the State; " Date ", 08/23/2019.
b. Certificate of *** CITY COUNCIL. 7 , signed on 01/20/2020, in which the
to state that as of the date there are no outstanding debts in the name of the
claimant.
c. Claimant's letter to EQUIFAX, dated 01/27/2020, in which he requests the
cancellation of your FIJ data and with which you send the certificate issued by the
Town hall.
Complainant 49: Report that EQUIFAX has included your personal data in the FIJ
associated with a non-existent debt. He states that on 08/14/2019 he received from EQUIFAX
a letter, with the reference 740 / JU1905009652, informing him that he had given
high in a file of defaulters. Add in your writing; that the debt that EQUIFAX
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 30
30/184
attributed corresponds to the rustic IBI of the *** ORGANISMO.5 ; that was published in the BOE
and that such debt was paid in the past through a bank account, so it is
non-existent. The claimant has not provided any document attached to his brief of
claim.
Claimant 50: Report the inclusion of your personal data as delinquent in the FIJ
for debts with various Public Administrations that are not true and that EQUIFAX
continues to keep these annotations despite having sent you documents that
they prove the non-existence of debts. He explains that the AEAT has informed him that no
It has nothing to do with the treatment that the person in charge of the FIJ makes of your data
personal and that he is up to date in the payment of the deferral agreed in the
year 2014 of which " there are two letters left to pay, for the months of July and August."
It adds that the debt with the *** CITY COUNCIL, which it contracted in
the year 2012 and that he paid, by garnishment of his payroll, in the year 2014. He contributes,
among others, these documents:
to. Letter from EQUIFAX, dated 05/27/2019, with the information contained in the FIJ
associated with your personal data -name, surname and NIF-: In the section
"Claims of Public Organizations ", there is no data. In section
"Judicial Claims ":
- 1st entry: as plaintiff the AEAT; as a procedure, tax debt;
as a means of publication, " Tax Agency Headquarters " and the date 04/15/2014.
- 2nd entry: as plaintiff the *** CITY COUNCIL. 11, as a procedure,
Tax debt; as a means of publication, *** BULLETIN.8 and the date
02/05/2014.
b. Certificate issued by the *** CITY COUNCIL. 11, electronically signed on
05/22/2019, stating that there are no outstanding debts in the name of the
claimant.
c. Documents issued by the AEAT: (i) From the Regional Revenue Unit
of the Special Delegation of (...) , addressed to the claimant, in which they notify a
wage garnishment diligence: diligence number 081421339376V, dated
09/13/2014. In it, the seizure of the liquid amount of salaries or
wages that were paid to the obligor in a sufficient amount to cover the amount
of the debt not paid in voluntary period, the ordinary compulsory surcharge and the
interests and costs of the ordinary procedure, for a total amount of 229.47 euros.
The document identifies the “ obligated ”, who coincides with the claimant and the
“ Payer ”, the company *** COMPANY.1 .
(ii) Document from the AEAT, Special Delegation of (...); Annex II, with the heading
" Settlement of default interest resulting from the granting of the postponement." On
the document, which contains the personal data of the claimant and the reference “ Nº
file 081440369344S " , this legend is included: " ... As a consequence of the
authorization of deferred or installment payment of the debt / s, proceeds to the
corresponding settlement of default interest ”. It is dated 03/31/2014. (The
underlined is from the AEPD)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 31
31/184
Claimant 51: The claim is directed against the *** CITY COUNCIL. 1 to understand
the claimant who has been this Public Administration who has included in the FIJ its
personal data associated with debts that are not true. In the claimant's opinion the
Annotations in the file correspond to fines imposed by the Local Police of the
*** CITY COUNCIL. 1. The claimant provides among other documents:
to. Abundant documentation regarding the remedies for replacement and extraordinary
review filed against resolutions of the aforementioned City Council relapsed in
disciplinary proceedings for traffic and parking offenses
regulated. Among the documents that the claimant provides several resolutions
dictated by that local entity, estimating some of the replacement resources
filed against the seizure of assets decreed by the City Council before the
non-payment of fines. The estimated resolution of the remedies for replacement is based on
that the City Council had not notified the claimant of the initiation of the
pressure to collect the amount of the fines.
b. Letter from EQUIFAX, dated 02/05/2019, with the information that appears in the FIJ
associated with your personal data -name, surname and NIF-: In the section
"Claims of Public Organizations ", there is no data. In section
"Judicial Claims ":
- An annotation: the *** CITY COUNCIL.1 ; process,
Tax debt; Auto and Court number, an illegible reference number followed
of the Local Administration indication; publication medium, *** BULLETIN.1 and the date
01/17/2019.
Claimant 52: Report the inclusion of your data in the FIJ associated with a debt
non-existent. It states that on 05/03/2019, in the bank where you request a
financial product, they verify that there is an annotation for debts from
November 2017 linked to your data. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 05/22/2019, with the information that appears in the FIJ
associated with your name, surname and NIF: In the section "Claims for
Public Organizations ”, there is no data. In the "Judicial Claims " section:
- An annotation: as plaintiff appears the *** CITY COUNCIL.12; What
procedure, tax debt; as publication medium, "TEU-BOE" and the date
24 // 11/2017.
b. Printing a screenshot with economic information regarding the
claimant bearing the seal of Banco Santander, SA and the date 06/25/2019. In one of
the lines, under the heading " Negative files (06/24/2019) " read: " Incl. Judicial; 1st
incidence 11/24/2017; last incident 11/24/2017; Worse situation, Normal ”.
c. Certificate issued by the *** CITY COUNCIL. 12 in which it is indicated that on the date
06/24/2019 “ there is no ... debt due in the name [of the claimant] with DNI [ the NIF
of the claimant] for taxes, fees or municipal public prices
managed by this collection unit ” .
d. Several emails that the claimant sent to the EQUIFAX SAC: Dated
05/04/2019, in which in addition to requesting that they cancel that entry, it explains the
information that you have learned through the Banco de Santander entity and that after
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 32
32/184
consult the *** CITY COUNCIL. 12 and the DGT to find out if it exists in your name
any pending debt or traffic fines the result has been negative. Of dates
05/13/2019 and 05/15/2019 in which he informs them that he continues to wait for you
clarify " what this is about that is in your records ."
and. EQUIFAX letter dated 05/22/2019 in which you respond to the requested cancellation
denying it for not having accredited the payment of the pending debt. (Sample letter
denying cancellation transcribed in the Third Fact)
Complainant 53: Report the inclusion of your personal data in the FIJ for a
non-existent debt, as it was paid long ago. Highlight the consequences
negative that their inclusion in the FIJ has caused. It provides, among others, these
documents:
to. Letter from EQUIFAX, dated 07/17/2019, with the information contained in the FIJ
associated with name, two surnames and NIF: In the section "Judicial Claims ":
- An entry: as plaintiff, the *** CITY COUNCIL.12; What
procedure, tax debt; as a means of publication, *** BOLETIN.15 and the
date 04/06/2018.
It is striking that the IJF Consultation History does not include any. Without
However, in the History of consultation of the ASNEF and ASNEF Companies files -
Despite the fact that there are no incidents associated with the claimant, they do include
four consultations carried out in the last six months.
b. Certificate from the Tax Management Body of *** CITY COUNCIL. 12, signed
electronically on 05/16/2019, which certifies that the claimant, identified by his
name, two surnames and NIF, is up to date with the payment of its obligations
tax with that City Council.
Claimant 54: Report the inclusion of their data in the FIJ, obtained from the BOE,
associated with non-existent debts. He claims to have sent the demanded proof of the
payment of debts and has not canceled its data from the file. Provide a copy, among others,
of these documents:
to. Letter from EQUIFAX, dated 05/13/2019, with the information that appears in the FIJ
associated with your name, two surnames and NIF. In the section " Judicial Claims"
consists of:
- 3 entries in which it appears, as the name of the plaintiff,
*** CITY COUNCIL. 5; as a procedure, tax debt; as a means of
publication, “*** BOLETIN.6 ” and the following dates, respectively,
10/21/2015; 06/22/2018 and 08/23/2017.
- An annotation in which the name of the plaintiff, AEAT; What
procedure, tax debt; as a means of publication, Agency Headquarters
Tax and the date 08/07/2017.
b . "Certificate of being up to date with Social Security obligations ", issued
by the TGSS and electronically signed on 05/08/2019. The document indicates that the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 33
33/184
person identified with the name, two surnames and NIF of the claimant “ does not have
pending income no claim for debts already overdue with the security
Social".
c. Certificate issued by the AEAT -Special Delegation of (...) - signed
electronically on 05/10/2019, in which he declares that the claimant -identified by
your name, two surnames and NIF- you are up to date with your obligations
tributary.
d. Letter from EQUIFAX to the claimant, dated 05/22/2019, in which he responds to the
cancellation of data requested on 05/10/2019 and informs you that " after the
Relevant checks we have proceeded to download the data in the [FIJ]
related to your claim, associated with your identifier / name and address
contributed by you ”.
Complainant 55: Complaint that EQUIFAX has included and maintains data in the FIJ
Claimant's personal data obtained from the BOE, treatment that is illegal. Provides, between
others, these documents:
to. Letter from EQUIFAX, dated 08/13/2019, with the information that appears on that date in
the FIJ, associated with your name, two surnames and NIF. In the section " Claims for
Public Organizations ”, there is no data. In the " Judicial Claims " section:
- An entry: as a plaintiff it appears *** CITY COUNCIL.2 ; as " No. of
Writ and Court ”, tax debt; as a means of publication, *** BULLETIN.2 and the
date 05/04/2016.
b. Letter from EQUIFAX to the claimant, dated 08/13/2019, (file of the claimed
reference 2019/181735) in which it responds to the request received at its offices on
08/12/2019 in which -according to EQUIFAX- the claimant requested access to
your FIJ data.
c. Copy of the brief, dated 08/08/2019, that the claimant sent to EQUIFAX through
email. The company "E-Guarantor" certifies the dispatch to the respondent of the letter of the
claimant and the attached documents -copies of the claimant's DNI and their
representative and the report issued at the request of the claimant by AEBOE- to the address
electronic sac@Equifax.es, as well as the receipt of the letter and documentation by the
claimed. In the letter, the claimant requests EQUIFAX " the urgent suppression " of
your personal data from FIJ and does not mention access at all.
d. Report issued by the State Agency Official State Gazette (AEBOE), signed
electronically on 07/31/2019, in which he responds to the query made by the
complainant about “if it is legal, if I obtain personal data published by the
BOE, "name, surname and DNI" to create a database for profit ".
Claimant 56: Report the inclusion of your personal data in the file of
defaulters of EQUIFAX for an alleged debt with the AEAT that is unknown
totally. He states that if the debt were true, he would have paid it, that they have not
payment is required and that the delinquency file does not specify the amount of the
alleged debt. The only document provided is the copy of the DNI.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 34
34/184
Claimant 57: Address your complaint to EQUIFAX. The only document that provides
It is the copy of the DNI. In the claim form, identify the “ alleged creditor ”,
*** CITY COUNCIL. 10, and includes a single sentence: “We are not aware of a debt for being
paid with City Hall. Monthly partial payments ”.
Claimant 58: Report the inclusion of your data in the FIJ for alleged debts
with Public Administrations of which he has heard when trying, without success, to carry out
a financial transaction. He adds that EQUIFAX has denied him the cancellation of his
data and that allegedly creditor public entities have confirmed that
has no outstanding debts. Provide a copy of the following documents.
to. Letter from EQUIFAX, dated 10/09/2019, with the information included on that date in
the FIJ associated with the name, two surnames and NIF of the claimant. In section
" Judicial Claims" are reflected 8 annotations:
- Two annotations in which the applicant appears *** CITY HALL.3; the
procedure is tax debt; the means of publication, *** BOLETIN.3 and the
dates, respectively, 04/13/2016 and 09/19/2019.
- Two annotations in which the AEAT appears as plaintiff; as a means of
publication, " Tax Agency Headquarters " and the dates, respectively, 11/26/2013
and 12/30/2014.
- Three annotations in which the *** CITY COUNCIL.12 appears as the plaintiff;
as a procedure, tax debt; as a means of publication, *** BULLETIN.3
and, respectively, the dates 01/22/2018, 02/07/2018 and 06/12/2018.
- An entry in which the name of the plaintiff is *** CITY COUNCIL.15 ;
the procedure indicated tax debt; the publication medium,
*** BULLETIN. 3 and the date 05/09/2016.
b. Letter from EQUIFAX to the claimant, dated 10/09/2019, file number of the
claimed 2019/225276, in which it responds in the following terms to the request
cancellation of the FIJ data that had entry into that entity on 10/09/2019:
" Since it has not provided documentation to justify the deletion, it is not appropriate
attend to your request ”.
Claimant 59: Report the inclusion of your personal data in the FIJ associated with
debts with Social Security and various municipalities. He adds that the debt with the
Social Security is non-existent, as it was paid in 2016; that referred to EQUIFAX
supporting documentation of being up to date with payments and that, despite having
answered that they canceled the annotations, the alleged debt continues to be included in the
FIX. Provide the following documents:
to. Letter from EQUIFAX, dated 09/24/2019, with the information that on that date was
Include in the FIJ associated with the name, two surnames and NIF of the claimant. In the
In the “ Judicial Claims” section, there are five annotations:
- 1st entry: name of the plaintiff, *** CITY COUNCIL. 7; process,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 35
35/184
Tax debt; publication means *** BULLETIN.8 and the date 09/04/2015.
- 2nd entry: plaintiff, the *** ORGANISMO.7; procedure, tax debt;
publication medium, *** BULLETIN. 8 and the date 08/14/2019.
- 3rd entry: plaintiff, *** CITY COUNCIL.16; procedure, debt
tax; medium of publication, *** BULLETIN. 8 and the date 03/28/2018.
- 4th entry: plaintiff, *** CITY COUNCIL.16; procedure, debt
tax; publication medium, *** BULLETIN. 8 and the date 04/16/2018
- 5th entry: plaintiff, AEAT; procedure, tax debt; source of
publication, Tax Agency Headquarters and the date 07/08/2016.
In the section " Claims from Public Bodies":
- 10 entries: in all of them, the complaining entity is the TGSS; by periods
monthly and correlative between 07/2014 (the first entry)
until 03/2015 (the ninth entry). The tenth entry corresponds to
October 2015. The means of publication is in all cases, *** BULLETIN.8 and
the publication date of 09/10/2015 for the first nine entries and the
12/21/2015 for the tenth.
b. Copy of the email that the claimant sent to the EQUIFAX SAC on 09/24/2019 in the
which states that the debts with Social Security attributed to him were paid
several years before, provide a copy of the negative certificate issued by the TGSS and request
cancellation of the annotation.
c. Letter that EQUIFAX addresses to the claimant, dated 10/03/2019, responding to the
cancellation requested. It informs you that after the relevant checks have
proceeded to unsubscribe from the FIJ the data related to your claim associated with your
identifier, name and address provided by the claimant.
Claimant 60: Complaint through two writings (from the years 2019 and 2020
respectively) the inclusion of your personal data in the FIJ, without your consent
nor knowledge, associated with a debt with the *** CITY COUNCIL. 17., of the year 2014,
of which it ignores its existence, amount and what it corresponds to. It contributes the following
documents:
to. Letter from EQUIFAX, dated 06/12/2019, with the information included on that date
in the FIJ associated with your name, two surnames and NIF. In the section " Claims
of Public Organizations ” there is no data. In the section "Judicial Claims"
there is an annotation:
- Plaintiff, *** CITY COUNCIL. 17 ; procedure, tax debt; source of
publication, *** BULLETIN. 16 and the date 07/05/2014.
b. Written statement that declares to have sent to the address sac@equifax.es in which it exposes
that in the EQUIFAX report dated 11/27/2019 there is an incident of non-payment
associated with your personal data for "claims from public bodies" that are
would have been made by *** CITY COUNCIL. 17., *** PROVINCE. 2 , on the date
07/07/2014 .
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 36
36/184
Complainant 61: Report the use that EQUIFAX has made of your personal data, without
your consent and without any notification, for inclusion in your delinquent file
for non-existent debts. Provide a copy, among others, of these documents:
to. Letter from EQUIFAX, dated 10/17/2019, with the information included on that date
in the FIJ associated with your name, two surnames and NIF. In the section " Claims
of Public Organizations ” there is no data. In the section " Judicial Claims "
consists of:
- 1st entry: as plaintiff, *** CITY COUNCIL.2; procedure, debt
tax; publication medium, *** BOLETIN.2 and the date 10/10/2016.
- 2nd entry: applicant on *** CITY COUNCIL.16; procedure, debt
tax; means of publication *** BULLETIN.3 and date 11/05/2014.
b. Letter from EQUIFAX dated 10/17/2019 in which it responds to the requested access according to
model (see Third Antecedent)
c. Certificate issued by the *** CITY COUNCIL. 2 - Municipal Executive Collection -,
of 10/21/2019, which indicates that the claimant -identified by name,
surnames and NIF- does not appear as a debtor in the Municipal Public Treasury for
Tax concepts that, to date, are in the executive period of
payment.
d. Certificate issued by the *** CITY COUNCIL. 16 on 10/21/2019 stating that the
claimant -identified by name, two surnames and NIF- is at the
current payment of the Tax on Mechanical Traction Vehicles with respect to the
vehicle -It is identified by the license plate, frame, make, model and type- whose owner
is the claimant.
Complainant 62: Complaint to EQUIFAX for inclusion of their personal data in the FIJ
linked to an alleged debt with the *** CITY COUNCIL.11 with which it has not had
do any relationship. Provide, in addition to the DNI, a copy of these documents:
to. Letter from EQUIFAX, dated 05/21/2019, with the information included on that date
in the FIJ associated with your name, two surnames and NIF. In the section " Claims
of Public Organizations ” there is no data. In the section " Judicial Claims "
consists of an annotation:
- Plaintiff, the *** CITY COUNCIL.11; procedure, tax debt; half
of publication, *** BULLETIN. 16 and the date 06/13/2017.
b. A screenshot accessed from the Administration.Gob.es page,
Citizen Folder, open in the name of the claimant. The epigraph that appears on the
size is the one related to the announcements in the Single Edictal Board (TEU) in which you can
Consult the list of notification announcements published in the BOE supplement.
There is the following legend: " No announcements have been found on the Single Board with
your identifier (NIF or NIE) ”.
Complainant 63: Report that EQUIFAX has included your personal data in the FIJ
for debts with the *** CITY COUNCIL. 2 and with the non-existent AEAT. Underline the fact
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 37
37/184
that these Administrations have not been the ones that have included it in the file, but
that the IJF itself has done it “motu proprio”. He adds that the respondent has denied him-
do the requested cancellation. It provides, among other documents:
to. Copy of the email sent on 10/08/2019, at 12:12 pm, to the EQUIFAX SAC, with
the one that sends them a copy of their ID and their signed application, and requests that their data be ex-
cluyan from the file.
b. Letter from EQUIFAX addressed to the claimant, dated 10/08/2018, in which he responds
to the request for cancellation of your FIJ data in these terms: " In relation to your
petition registered in our offices dated October 8, 2019, in which
requests us cancellation of the data that appear registered in the file of [FIJ] with
the documentation provided by you, we inform you that there is no registered
some incidence. However, we hereby send you your current situation in the
cited file ”.
c. Written by EQUIFAX, of 10/08/2019 at 1:30:30 p.m., with the information that in
that date is included in the FIJ associated with your name, two surnames and NIF. In the apartment
c “ Claims from Public Bodies” there are no data. In the section “ Claim-
Judicial decisions ”consists of:
- 1st entry: applicant the *** CITY COUNCIL.2; procedure, tax debt
taria; publication medium, *** BULLETIN. 2 and the date 05/09/2016.
- 2nd to 7th annotations: in all of them the plaintiff is the AEAT; The procedure,
tax debt, the publication medium "Tax Agency headquarters" and, the dates,
respectively, 12/05/2016; 01/20/2017; 02/24/2017; 01/05/2018; 01/22/2018 and
05/18/2018.
Claimant 64: Report the inclusion of their data in the FIJ without their authorization, data
which, he says, come from a public file. Request that the entire
information related to debts obtained from public files. Provides,
among others, these documents:
to. Letter from EQUIFAX, dated 02/13/2020, with the result of the access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF), the
Next information:
Under the heading " Legal claims " there is an annotation: As
plaintiff appears *** CITY COUNCIL.10; as a procedure, tax debt;
medium of publication, *** BULLETIN.11 and the date of publication 05/20/2015.
b. A letter from EQUIFAX, dated 02/13/2020, responding to the requested access
according to letter model (see Third Fact)
Claimant 65: Report the inclusion of your data in the FIJ by EQUIFAX. Provides,
among others, these documents:
to. Letter from EQUIFAX, dated 12/18/2019, with the result of accessing the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF), the
following information: Under the heading " Judicial claims " it consists of:
- 1st entry: As plaintiff the *** CITY COUNCIL.10; What
procedure, tax debt; publication medium, *** BOLETIN.10 and the
Publication date 03/28/2016.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 38
38/184
- 2nd entry: As plaintiff the *** CITY COUNCIL.7; What
procedure, tax debt; publication medium, *** BULLETIN.10 and
publication date 08/05/2015.
b. A letter from EQUIFAX, dated 12/18/2019, responding to the requested access
according to letter model (see Third Fact)
Claimant 66: Report the inclusion of their data in the FIJ, without their authorization, data
which, he says, come from a public file. He claims that he exercised the right to object.
Request that all information related to debts that may have been
obtained from public files. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 01/10/2020, with the result of the access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF), the
following information: Under the heading " Legal claims " include:
- Six annotations in which the plaintiff is the AEAT; The procedure,
Tax debt; the publication medium, "Tax Agency Headquarters", and the
following publication dates, respectively: 06/09/2015;
10/16/2015; 02/17/2016; 09/23/2016; 12/02/2016 and 11/11/2014.
b. A letter from EQUIFAX, dated 01/10/2020, in which you respond to the requested access
according to letter model (see Third Fact)
Claimant 67: Among the various questions raised, he states that he had knowledge,
when he was trying to arrange a loan, that his data had been included in the
FIJ associated with debts with the *** CITY COUNCIL. 10 and with the AEAT and that
immediately proceeded to resolve the outstanding debts and sent EQUIFAX the
documentation that proved it. It provides, among others, these documents:
to. Certificate issued by the *** CITY COUNCIL. 10, electronically signed on
02/05/2020, stating that as of 02/04/2020 it does not exist, linked to the data
of the claimant, no outstanding debt in the executive way of collection of the aforementioned
Town hall.
b. AEAT certificate, electronically signed on 02/06/2020, of being up to date
in the payment of tax obligations.
Claimant 68: Report the inclusion of their data in the FIJ, without their authorization, data
which, he says, come from a public file. He claims that he exercised the right to object.
Request that all information related to debts that may have been
obtained from public files. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 10/18/2019, with the result of the access to the FIJ, in which
Associated with your data (name, surname and NIF) the following information is provided:
Under the heading " Judicial claims " it consists of:
- 1st entry: Plaintiff the *** CITY COUNCIL.12 ; procedure, debt
tax; medium of publication, *** BULLETIN.15, and date of publication
04/29/2016.
- 2nd entry: Plaintiff the *** CITY COUNCIL.12; procedure, debt
tax; medium of publication, *** BULLETIN.15 , and date of publication
04/21/2014.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 39
39/184
b. A letter from EQUIFAX, dated 10/16/2019, in which you respond to the requested access
according to letter model (see Third Fact)
Claimant 69: Report the inclusion of their data in the FIJ, without their authorization, data
which, he says, come from a public file. He claims that he exercised the right to object.
Request that all information related to debts that may have been
obtained from public files. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 10/18/2019, with the result of the access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF) is provided
the following information: Under the heading " Legal claims " include:
- 1st entry: Plaintiff the *** CITY COUNCIL.12 ; procedure, debt
tax; medium of publication, *** BULLETIN.15, and date of publication
04/29/2016.
- 2nd entry: Plaintiff the *** CITY COUNCIL.12; procedure, debt
tax; medium of publication, *** BULLETIN.15 , and date of publication
04/21/2014.
b. A letter from EQUIFAX, dated 10/16/2019, in which you respond to the requested access
according to letter model (see Third Fact)
Claimant 70: Report the inclusion of their data in the FIJ, without their authorization, data
which, he says, come from a public file. Request that the entire
information related to debts obtained from public files. It provides, among others, these
documents:
to. Letter from EQUIFAX, dated 02/20/20, with the result of accessing the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF) is provided
the following information: Under the heading " Legal claims " include:
- 1st entry: Plaintiff the *** CITY COUNCIL.1 ; procedure, debt
tax; medium of publication, *** BULLETIN.17 , and date of publication
11/04/2015.
- 2nd entry: Plaintiff AEAT procedure, tax debt; source of
publication, "Tax Agency Headquarters" and publication date 08/08/2018
Claimant 71: Report the inclusion of their data in the FIJ, without their authorization, data
which, he says, come from a public file. Denies the certainty of the debt. Provides, between
others, these documents:
to. Letter from EQUIFAX, dated 02/20/2020, with the result of the access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF), the
following information: Under the heading " Legal claims " there is an annotation:
Plaintiff, the *** ORGANISMO.5; procedure, tax debt; source of
publication *** BULLETIN. 10 and the date 01/11/19.
Claimant 72: Report the inclusion of your data in a list of defaulters without your
consent or knowledge for non-existent debts since they had already been
paid. Learn the facts when managing a loan application. Provides, between
others, these documents:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 40
40/184
to. Letter from EQUIFAX, dated 02/20/2020, with the result of the access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF) is provided
this information: Under the heading " Legal claims " it consists of:
-1st entry: plaintiff, *** CITY COUNCIL.18; procedure, debt
tax; publication medium, *** BULLETIN.18; publication date
01/27/2017.
-2nd entry: plaintiff " Mancomunidad de Servic Provinc ."; process,
Tax debt; means of publication *** BULLETIN. 18 and date 03/11/2016.
-3rd annotation: plaintiff *** CITY COUNCIL.18; procedure, debt
tax; means of publication *** BULLETIN. 18 and date 05/05/2015.
b. A letter from EQUIFAX, dated 02/21/2020, in which you respond to the requested access
according to letter model (see Third Fact)
Complainant 73: Report the inclusion of your personal data in a list of
defaulters of EQUIFAX without their consent or knowledge due to a debt
non-existent. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 02/21/2020, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information:
Under the heading " Judicial Claims " an annotation: plaintiff, the
*** CITY COUNCIL. 6; procedure, tax debt; publication medium,
*** BULLETIN. 11 and date 12/11/2017.
b. Letter from EQUIFAX, dated 02/21/2020, in which it responds to the request for deletion
of your FIJ data, denying it for not having provided documentation that justifies
the deletion (see sample letter denying the deletion, Third Fact).
Claimant 74: Report the inclusion of their data in the FIJ, without their authorization, data
which, he says, come from a public file. Denies the certainty of the debt. Provides, between
others, these documents:
to. Letter from EQUIFAX, dated 01/09/2020, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information:
Under the heading " Judicial Claims " there is an annotation: as
applicant the *** CITY COUNCIL.5 ; procedure, tax debt; source of
publication *** BULLETIN.6 and date 12/16/2019.
b. Letter from EQUIFAX, dated 01/20/2020, in which it responds to the request for deletion
of your FIJ data, denying it for not having provided documentation that justifies
the deletion (see sample letter denying the deletion, Third Fact).
Claimant 75: Report the inclusion of your data in the FIJ for debts that are not
certain. It provides, among others, the following documents:
to. Letter from EQUIFAX, dated 10/25/2019, with the result of access to the FIJ, in the
that associated with the personal data of the claimant (name, surname and NIF) are
provides the following information:
Under the heading " Judicial Claims " there is an annotation: as
plaintiff the *** ORGANISMO.8 ; procedure, tax debt; source of
publication *** BULLETIN.3 and date 02/10/2017.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 41
41/184
b. Certificate issued by the General Directorate of Taxes of the Autonomous Community,
electronically signed on 11/26/2019, indicating that “ with the data obtained
in the Executive Collection of the Autonomous Community of (...) has no debts in
executive period, and if it has them, they are postponed, divided or their
suspension, or there are credits in their favor that guarantee their collection ”.
c. Letter from EQUIFAX, dated 10/25/2019 responding to the request for access to the FIJ
(depending on model, see Third Fact)
Claimant 76: Report the inclusion of your data in the FIJ associated with a debt
with a City Council. It rejects that it was that Administration who had
communicated your data to the file. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 02/17/2020, with the result of access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF), the
Next information:
Under the heading " Judicial Claims " there is an annotation: as
applicant the *** CITY COUNCIL.11 ; procedure, tax debt; source of
publication *** BULLETIN. 16 and date 11/08/2017.
b. Documentation accrediting having requested the cancellation of the FIJ data
on 01/16/2020 and EQUIFAX's response of 02/25/2020 in which he denies the
Suppression requested for not having provided documentation that justifies it (according to
sample letter denying cancellation, see Third Fact)
Claimant 77: Report the inclusion of your data in the FIJ made by EQUIFAX,
associated with alleged debts with public bodies. It provides, among others, these
documents:
to. Letter from EQUIFAX, dated 12/11/2019, with the result of the access to the FIJ, in which
associated with your personal data (name, surname and NIF) the following is provided
information: Under the heading " Judicial Claims ":
- 1st entry: plaintiff, the *** ORGANISMO.9 ; procedure, debt
tax; publication medium, *** BULLETIN. 19 and date 07/15/2019.
- 2nd entry: plaintiff, *** CITY COUNCIL.19 ; procedure, debt
tax; publication medium, *** BULLETIN. 19 and date 04/13/2018.
b. Certificate signed by the head of the Tax Management and Inspection Office of the
*** ORGANISM. 9, signed on 02/13/2020, indicating that there are no receipts
pending collection and that two installments are in force for the payment of
debts that are detailed in the document.
Claimant 78: Complaint that a financial entity with which it intended to contract a
mortgage loan has provided you with information from, as you have been informed,
of a non-existent file - "ASNEF JUDICIAL" - referring to various debts in your name
contracted with Public Administrations that are not true because they are already settled.
It provides, among others, these documents:
to. Screenshot provided by the financial institution regarding the debts
associated with his person. At the top is " Summary judicial information"; the
date of the consultation is 02/20/2020; the search criteria used are the NIF,
name and two surnames of the claimant. Three annotations are reflected for " Incidents
Judicial "being the date of the last update on 05/14/2018. They consist of these
annotations:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 42
42/184
- 1st entry: plaintiff the AEAT; procedure, tax debt; condition,
embargo; date 05/17/2017.
- -2nd and 3rd annotation: applicant on *** CITY COUNCIL.12 ; process
Tax debt; status, embargo and dates, respectively, 11/03/2017 and
05/09/2018.
b. Copy of the email received from *** EMAIL.1 , dated 02/24/2020 in which you
they report that there is no outstanding debt in executive situation as of today
associated with his person.
Claimant 79: Report the inclusion of their data in the FIJ, without their authorization, data
which, he says, come from a public file. He claims that he exercised the right to object
before the claimed. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 02/27/2020, with the result of the access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF), the
Next information:
Under the heading " Judicial Claims " there are 2 annotations. In both,
as plaintiff, appears the AEAT ; as a procedure, tax debt; as a medium
of publication "Tax Agency Headquarters" and the dates, respectively, 09/07/2015 and
03/04/2019.
b. Response from EQUIFAX, 02/27/2020 to access the FIJ (according to the letter model, see
Third Fact)
Claimant 80: Report the inclusion of their data in the FIJ at the request of EQUIFAX
for a debt with Social Security that is not true, as it is appealed in the ad-
nistrative. He adds that he was not informed of the inclusion of his data in the FIJ and that
EQUIFAX denied the requested cancellation despite having sent him a copy of the appeal.
appeal filed against the Social Security resolution. Provides, between
others, these documents:
to. Letter from EQUIFAX, dated 12/14/2018, with the result of access to the FIJ, in the
that associated with your personal data (name, surname and NIF) the following is provided
information:
Under the heading " Claims from public bodies ":
- 33 annotations being in all of them the complaining entity, the Security So-
cial; the means of publication, *** BULLETIN.8; the date of publication
09/18/2017. The 33 entries correspond to debts accrued by pe-
monthly cycles being the oldest dated 12/2014 and the most recent
cient of 04/2017.
Under the heading " Judicial Claims", there is an annotation: as
plaintiff the TGSS; means of publication *** BULLETIN.8 and the date of publication
04/18/2018.
b. EQUIFAX's letter of 11/29/2018 in which it responds, denying it, to the request
cancellation of the claimant for not having provided documents that justify their
suppression. (letter according to the model included in the Third Event)
c. The AEPD, prior to the admission for processing of this claim, gave
transfer of her to EQUIFAX. The respondent responds in writing dated 02/18/2019,
in which after acknowledging that the incidents that have been detailed in
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 43
43/184
point a. above, states the following: "In response to the cancellation request
of the owner, we proceed on 02/18/2019 to the cancellation of said data, in such
Therefore, after canceling, there is no other incident associated with D. [the re
claimant] in the file .. [FIJ] ” (The underlining is from the AEPD).
Claimant 81: Report the inclusion of their data in the FIJ, without their authorization, data
which, he says, come from a public file. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 02/10/2020, with the result of the access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF), the
Next information:
Under the heading " Judicial Claims " there is an annotation: as a demand
from the *** CITY COUNCIL. 7 ; procedure, tax debt; publication medium
*** BULLETIN. 8 and date 08/16/2018.
b. Response from EQUIFAX, dated 02/18/2020, in which it denies the requested deletion
for not having provided documentation that justifies it (according to the model of the letter
gaining cancellation, see Third Fact)
Claimant 82: Report the inclusion of their data in the FIJ, without their authorization, data
which, he says, come from a public file. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 02/25/2020, with the result of the access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF), the
Next information:
Under the heading "Judicial Claims" there is an annotation: as a demand
dante AEAT ; procedure, tax debt; means of publication “Headquarters of the Tri-
butaria ”and date 10/1/2018.
Under the heading " Claims of Public Organizations " there are 7 annotations:
In all of them the claimant is Social Security; the publication medium *** BOLE-
TIN.15; the publication dates between 04/24/2018 and 02/01/2019; for debts-
sold for monthly and consecutive periods between 01/2018 and 04/2018 and the
10/2018.
b. EQUIFAX's response, dated 03/05/2020, in which it denies the requested cancellation
for not having provided documentation that justifies it (according to the model of the letter
gaining cancellation, see Third Fact)
Claimant 83: Report the inclusion of their data in the FIJ, without their authorization, data
which, he says, come from a public file. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 02/27/2020, with the result of the access to the FIJ, in which
associated with the personal data of the claimant (name, surname and NIF), the
Next information:
Under the heading " Judicial Claims " there are 3 annotations. In all
they appear as plaintiff the AEAT ; as a procedure, tax debt; What
publication medium, "Tax Agency Headquarters" and the dates, respectively,
05/20/2014; 01/08/2016 and 06/28/2019.
b. Letter from EQUIFAX, 03/06/2020, addressed to the claimant in which it says: “Agree
with your request for opposition / cancellation, since you have not provided documentation
that justifies the deletion, it is not appropriate to attend to your request ... " (continues according to model
of letter denying cancellation, see Third Fact. The underlining is from the AEPD)
c. The AEPD, prior to the admission for processing of the claim, requested
EQUIFAX information on the facts presented by the claimant. The claimed
responded in writing dated 02/18/2019 in which he acknowledges the existence of the an-
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 44
44/184
statements in the FIJ associated with the claimant's personal data and pronounces in
the following terms: " In response to the cancellation request of the holder, the
dated 02/18/2019 to the cancellation of said data, in such a way that, after making
the withdrawal, there is no other in the name of Mr. [the claimant] in the [FIJ] ”(The underlining
do is from the AEPD)
Claimant 84: Report the inclusion of their data in the FIJ, without their authorization, data
which, he says, come from a public file. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 02/27/30/01/2020, with the result of access to the FIJ, in the
that associated with your data (name, surname and NIF) the following information is provided
tion:
Under the heading " Judicial Claims " they include:
- 14 entries in which the applicant is the AEAT ; procedure, debt
tax; the publication medium, " Tax Agency Headquarters " and the dates of
publication are between 01/06/2015 (the oldest) and the
05/11/2018 (most recent)
- An entry in which the plaintiff is the *** CITY COUNCIL. 3; pro-
assignment of tax debt; the means of publication *** BULLETIN.3 and the date
of publication 02/20/2017.
b. Letter from EQUIFAX, dated 01/30/2020 in which it responds to your request for access to the
FIJ (according to letter model, see Third Fact)
Claimant 85: Report the inclusion of your personal data in the FIJ linked to
debts with Public Administrations without your consent and the transfer of your data
by EQUIFAX to third parties. It adds that it exercised the right of deletion on 02/20/2020
that it was denied without justification. It provides, among others, these documents:
to. Letter from EQUIFAX, dated 02/20/2020, with the result of the access to the FIJ, in which
associated with your data (name, two surnames and NIF) the following information is provided
tion: Under the heading " Judicial Claims " include:
- 4 entries in which the applicant is the AEAT ; procedure, debt
tax; the publication medium, " Tax Agency Headquarters " and the dates of
publication are between 07/09/2015 (the oldest) and the
01/23/2017 (most recent)
- An entry in which the plaintiff is the *** CITY COUNCIL. 20 the pro-
assignment of tax debt; the means of publication *** BOLETIN.11 and the fe-
Publication cha 30/09/2016.
b. Letter from EQUIFAX, dated 03/02/2020, in which he denies the cancellation of his da-
cough requested on 02/20/2020 (according to letter model, see Third Fact)
Claimant 86: Report the inclusion of your data in the list of defaulters FIJ by
debts older than five years, so they would be prescribed. Add that
EQUIFAX has denied the cancellation of the annotations due to lack of evidence. Provides,
among others, these documents:
to. Letter from EQUIFAX, dated 03/16/2020, in which the claim data is associated
mante (name, two surnames and NIF) the following information is provided:
Under the heading " Judicial Claims" they include:
- 2 annotations: as plaintiff the AEAT appears; as procedure, debt
tax; means of publication " Tax Agency Headquarters " and the dates, res-
pectively, 12/11/2015 and 02/12/2016.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 45
45/184
- 2 annotations: as plaintiff the TGSS; publication medium SS S
ELECTR. (...) and the dates 11/17/2014 and 06/19/2014.
Under the heading "Claims of Public Organizations":
- Two annotations: as claimant the SS; publication medium, respective-
mind, SS S ELECTR. (...) and *** BULLETIN. 8. It is noted that this second
annotation is for an amount of 2.50 euros. The publication dates are,
respectively, on 11/17/2014 and 04/04/2016.
b. Letter from EQUIFAX, dated 03/16/2020, in which it responds to the request to cancel
the claim of the claimant denying it, since he has not provided documents that justify
deletion.
Claimant 87: The Catalan Data Protection Authority sends documentation
relating to the claimant, in particular, the following:
to. Negative certificate issued by the *** CITY COUNCIL. 7 and signed on 05/05/2020
in which it appears that the claimant, identified by his name, first surname and NIF,
does not have debts pending payment in the executive period according to the databases of
municipal collection.
b. Letter from EQUIFAX, dated 05/04/2020, in which the claim data is associated
mante (name, two surnames and NIF) the following information is provided: Under the heading
" Judicial Claims" appears an annotation: as plaintiff appears the
*** CITY COUNCIL. 7 ; the procedure is tax debt; the publication medium
*** BULLETIN. 8 and the date of publication 02/20/2019. .
Claimant 88: Claims to have previously filed claims with
" DPS @ AEPD" and PTFP@correo.Gob.es from which you are waiting for a response and with which
attached 28 files. In this letter of claim, it sets out, among other issues,
that EQUIFAX informed him of the existence of an annotation in the FIJ associated with his
data and linked to debts with Social Security, without the information being
provide the amount of the debt pending payment. Add that you have requested the TGSS
on several occasions - the last one on 03/28/20 - a debt deferral.
Complainant 89: Report the inclusion of your personal data without your consent
in the FIJ related to alleged debts with Public Administrations. Provides, between
others, these documents:
to. Letter from EQUIFAX, dated 05/20/2020, in which associated with the data of the
Claimant (name, two surnames and NIF) the following information is provided:
Under the heading " Judicial Claims" they include:
- 3 annotations: plaintiff the AEAT; procedure, tax debt; half
of publication " Tax Agency Headquarters " and the dates, respectively,
04/09/2019; 05/06/2019 and 05/27/2019.
- 1 entry: applicant on *** CITY COUNCIL.5; publication medium
*** BULLETIN. 8 and the date 11/27/2015
- 1 entry: applicant the *** CITY HALL. 7; publication medium
*** BULLETIN. 8 and the date 02/05/2015.
- 1 entry: applicant (…); publication medium *** BULLETIN.8 and date
11/11/2017.
Claimant 90: Report the inclusion of your personal data in the FIJ associated with
debts with Public Administrations that, it says, " are inaccurate or non-existent ". Apor-
ta, among others, these documents:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 46
46/184
to. Written document from EQUIFAX, dated 03/11/2020, in which associated with the data of the
Claimant (name, two surnames and NIF) the following information is provided:
Under the heading " Judicial Claims" they include:
- 1st note: plaintiff the AEAT; procedure, tax debt; source of
publication " Tax Agency Headquarters " and the date 09/10/2018.
- 1 entry: applicant the *** CITY COUNCIL.1; publication medium
*** BULLETIN. 1 and the date 02/20/2018.
Claimant 91: Denounces the inclusion of your personal data in the FIJ for a preliminary
sunta debt with a City Council and for the transfer of your data to third parties without him or
the City Council have authorized such communication. It provides, among others:
to. Letter from EQUIFAX, dated 03/04/2020, in which it is associated with the claimant's data
(name, two surnames and NIF) contains this information: Under the heading " Claims
Judicial ” an annotation, the plaintiff being the *** CITY COUNCIL.21; the procedure
lie, tax debt; the medium of publication, *** BULLETIN.15 and the date
03/09/2018.
b. Letter from EQUIFAX dated 03/13/2020 denying the requested cancellation for not having-
documentation that justifies the deletion has been provided (model transcribed in Antece-
dente Third)
Complainant 92: Report that your personal data has been included in the FIJ by
alleged debts with the TGSS and the AEAT without their knowledge. Add that EQUIFAX
probably obtained the data from the Official Gazettes, but, he says, has not contrasted
the veracity of the information since the debts are either inaccurate or do not exist. Provides,
among others, these documents:
to. Letter sent by EQUIFAX on 03/10/2020 in which he responds to the request for can-
custody of your FIJ data, denying it for not having provided documentation that
justify the deletion (model transcribed in Third Antecedent)
Complainant 93: Report that EQUIFAX has included your personal data in the FIJ
linked to debts with the AEAT without your authorization or that of the AEAT. Provides, between
others:
to. Letter from EQUIFAX, dated 03/04/2020, in which associated with your data (name, two
surnames and NIF) there is an annotation under the heading " Judicial Claims" .
As plaintiff appears the AEAT; procedure, tax debt; publication medium
tion, "Tax Agency Headquarters " and the date 07/20/2015.
b. EQUIFAX's letter, dated 03/12/2020, in which it responds, denying it, to the request
of deletion of your data from the FIJ for not having provided documentation that justifies
such deletion (model transcribed in Third Antecedent)
Claimant 94: Report the inclusion of your personal data in the FIJ for a
alleged debt with the *** ORGANISM.10 , without its consent or that of the
Deputation. He adds that he requested the deletion of his data to EQUIFAX on 03/02/2020 and
was denied. It provides, among other documents:
to. Letter from EQUIFAX, dated 03/03/2020, with the information contained in the FIJ associa-
gives his name and two surnames, but not his NIF, since in the document of
EQUIFAX is missing this information. In the section “ Judicial Claims” there is an annotation
tion. As plaintiff the *** ORGANISMO.10; procedure, tax debt; half
of publication, *** BULLETIN. 20 and the date 10/06/2017 .
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 47
47/184
b. Letter from EQUIFAX, dated 03/11/2020, in which it denies the request for cancellation
cited for not having provided documents to justify the deletion.
Complainant 95: Complaint that EQUIFAX has included your personal data in the FIJ
for an alleged debt with the TGSS that is non-existent. Add that you have requested
the claimed, unsuccessfully, to proceed to correct the mistake made.
to. Provides, among others, a copy of the letter addressed to EQUIFAX, sent by mail.
tified on 04/04/2019, in which you request the cancellation of your file data. Certifi-
negative result of the TGSS, electronically signed on 11/30/2018, which certifies that
is up to date with payment.
b. The AEPD, before agreeing on the admission for processing of this claim, will address
He turned to EQUIFAX requesting information on the facts presented by the claimant.
The respondent responded in writing dated 06/14/2019 in which she stated that, in the
date of receipt of the informative request from the AEPD, 06/13/2019, “it consisted of
registered an incident with the *** CITY COUNCIL. 22 and that on 06/13/2019 has
proceeded to cancel said entry ". (The underlining is from the AEPD)
Claimant 96: Denounces the inclusion of your data in the FIJ which, it says, comes
causing that in recent years the banking entities deny the
financing that he is requesting, since they receive a report from EQUIFAX with data that he has not
facilitated and whose existence I did not know.
to. The claimant provides, among other documents, a letter from EQUIFAX, dated
02/14/2019, in which associated with your personal data (name, two surnames and NIF)
This information consists of: Under the heading " Judicial Claims" an annotation,
the plaintiff being the *** CITY COUNCIL.22; the procedure, tax debt; the
publication medium, *** BULLETIN.6 and the date 07/26/2017.
b. The AEPD, before agreeing to admit this claim for processing, addressed to
EQUIFAX requesting information on the facts presented by the claimant. The re-
Clamada responded in writing dated 06/14/2019 in which it stated that, on the
letter of receipt of the informative request from the AEPD, on 06/13/2019, “consisted of
registered an incident with the *** CITY COUNCIL. 22 and that on 06/13/2019 has
proceeded to cancel said entry ". (The underlining is from the AEPD)
Claimant 97: Report the incorporation of your personal data to the FIJ made,
as stated, by the *** CITY COUNCIL.23 for a non-existent debt.
THIRD: The letter model used by EQUIFAX when the RGPD was already
effective application -from 05/25 / 2018- to deny claimants the deletion
of your personal data from the FIJ, of which there are numerous examples in the file
administrative, included these paragraphs that we reproduce below:
“ (...) Said data have been obtained from PUBLIC ACCESS SOURCES. Yes
You would like to expand the information provided here, you can do so by contacting the Agency
Public included in the abbreviated report.
The entities that use this file will be able to compare their name, surname and
NIF / NIE with that of the person requesting an operation and in the event that there is
a discrepancy (same NIF / NIE with another name and surname) may prevent
use your NIF / NIE in said application. To help entities that consult the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 48
48/184
file to prevent delinquencies and analyze their solvency, as well as to help
to the prevention of fraud and prevent them from impersonating your identity in operations,
products or services not requested by you. The data included in this file
They may also be treated anonymously for analysis
statistics.
The data included will be canceled or removed once you have
made the payment of the debts and we justify said payment by means of a certificate
issued by the Public Body in question or with a ruling in its favor, and in all
case, 6 years from the date your data was published (origin of the
information) ” (The underlining is from the AEPD)
The letter model used by EQUIFAX to respond to requests for access to
the data included in the FIJ after the GDPR was effectively applied
(since 05/25/2018), of which numerous examples are in the file, has the
following text:
It begins by communicating to the affected person that they send “ the information associated with their
identifier or your name and address provided by you. " "Attached we send
formal access to the file so that you can check the data that is
are currently registered. We also attach the History of Queries,
which consists of all the information related to the entities that, where appropriate, have
consulted your data in the last six months. "
“Said data has been obtained from PUBLIC ACCESS SOURCES. If i wished
expand the information provided here, you can do so by contacting the Public Agency
contained in the abbreviated report.
The entities that use this file will be able to compare their name, surname and
NIF / NIE with that of the person requesting an operation and in the event that there is
a discrepancy (same NIF / NIE with another name and surname) may prevent
use your NIF / NIE in said application. To help entities that consult the
file to prevent delinquencies and analyze their solvency, as well as to help
to the prevention of fraud and prevent them from impersonating your identity in operations,
products or services not requested by you. The data included in this file
They may also be treated anonymously for analysis
statistics.
The data included will be canceled or removed once you have
made the payment of the debts and we justify said payment by means of a certificate
issued by the Public Body in question or with a ruling in its favor, and in all
case, 6 years from the date your data was published (origin of the
information)." (The underlining is from the AEPD)
In both letters, EQUIFAX affirms that the personal data of those affected included
in the FIJ they were obtained from publicly accessible sources; relates the purposes of
data processing carried out; demands as a condition for ending the
treatment of the data that their holders certify the payment of the debt through
document issued by the corresponding official body or through a ruling
and informs that the data thus obtained will be processed for 6 years
computed from the date they were published, " origin of the information".
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 49
49/184
At the same time, they are also on the record -exclusively linked to the
claimants 36, 43 and 48- the letters that EQUIFAX sent them on 10/18/2018,
08/22/2019 and 08/24/2019, respectively, informing them of the inclusion of their data
in the FIJ. In this model letter, the respondent provided the following information:
<< What is the file of legal claims and Public Bodies?
It is a file owned by the company EQUIFAX IBÉRICA, SL, with CIF ..., which
contains data on legal claims, in which you appear as
defendant, and claims from public bodies in which you are listed as
debtor with organizations such as the General Treasury of Social Security (TGSS),
Town councils or the Tax Agency, and which are published on the website of the
TGSS, Public Registries, Official Provincial Gazettes, of the Communities
Autonomous, of the State, in the annexes published in said Bulletins and media
social comunication. This file has its legal basis in the legitimate interest of the
entities, which need to know the debts or claims of a natural person or
legal to give security to commercial traffic, prevent delinquency and assess the
financial solvency of said people, with whom they have or will have relationships
commercial, credit and periodic or deferred payment.
What is my data used for?
To help the entities that consult the file to prevent delinquency and
analyze the solvency of these, as well as to help prevent fraud and
prevent them from impersonating your identity in operations, products or services not
requested by you. The entities that use this file will be able to compare their
name, surname and NIF / NIE with that of the person requesting an operation and in the
in case there is a discrepancy (same NIF / NIE with another name and surname)
may prevent their NIF / NIE from being used in said application. The data included in this
file may also be treated anonymously for analysis
statistics.
How long can I be included in the Judicial Information file and
Claims from Public Organizations?
The data included will be canceled or removed once you have
made the payment of the debts and we justify said payment by means of a certificate
issued by the Public Body in question or with a ruling in its favor, and in all
case, 6 years from the date your data was published (origin of the
information)
Who can see my data?
In general, entities in the financial sector, insurance, telecommunications, supplies
of energy or that provide deferred or periodic payment services with which it has
any contract in force or if they need to consult your data to study any
request that you have made.
How do I exercise my rights of access, rectification, cancellation, limitation and
opposition for free?
You can send us an email to the address sac@equifax.es or by sending us
a letter to the Post Office 10546, 28080 in Madrid. Please do not forget to read the
back of this letter "Requirements for the exercise of rights". (...)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 50
50/184
Can I file an official claim?
You can contact the Spanish Data Protection Agency and submit a
claim if www.agpd.es considers it so. Likewise, we provide you with the data of
contact of the Data Protection Delegate dpo@equifax.es >> (The underlined is
of the AEPD)
FOURTH: Initiation agreement.
On 07/24/2020 the Director of the Spanish Data Protection Agency
agrees to initiate a sanctioning procedure for the claimed, in accordance with the provisions
in articles 63 and 64 of Law 39/2015, of October 1, on the Procedure
Common Administration of Public Administrations (hereinafter, LPACAP), by the
alleged infringement of articles 6.1 and 5.1.d) of the RGPD, both typified in the
Article 83.5.a) of the RGPD.
The initiation agreement indicates that, without prejudice to what results from the instruction,
the sanctions that could be imposed would be the following:
For the violation of article 6.1 RGPD, in accordance with article 58.2.i) RGPD, fine
administration of three million euros. In accordance with article 58.2.f) RGPD, the
prohibition of continuing the data processing carried out through the FIJ, which
would imply closing the file. It is also indicated that, pursuant to article 58.2.g)
RGPD, the respondent could be ordered to proceed to the suppression of all
personal data associated with the alleged debts that are subject to treatment
through the FIJ.
For the violation of article 5.1.d) RGPD, in accordance with article 58.2.i) of the RGPD, fine
administration of three million euros. In accordance with article 58.2.f) RGPD, the
prohibition of continuing the data processing carried out through the FIJ, which
would imply closing the file. It is also indicated that, pursuant to article 58.2.g)
RGPD, the respondent could be ordered to proceed to the suppression of all
personal data associated with the alleged debts that are subject to treatment
through the FIJ.
FIFTH: Notification of the initiation agreement.
The initiation agreement is notified to the claimed by electronic means on the date
07/24/2020. The notification is accepted on 07/30/2020. Both ends remain
Accredited by the Notification Service Support service certificate
Electronic and Authorized Electronic Address issued by the FNMT-RCM (as
successive, FNMT) that is in the file.
SIXTH: Allegations to the initiation agreement: Request for extension of the term of
allegations and a copy of the file.
On 08/04/2020, a letter from the complained party has entered the Agency in which
requests, under the protection of articles 32.1 and 53.1.a) of the LPACAP, the extension of the term
to formulate allegations to the agreement to initiate the sanctioning procedure and the
delivery of a copy of the administrative file. Provide with your writing a copy of
the notarial public deed granted on 05/04/2012 in which the claimed one confers
power of attorney to D. DPR . so that, acting in his name and representation, he can make use,
among other powers, those necessary to intervene in such condition in all
procedures of the sanctioning file that concerns us.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 51
51/184
The AEPD, in writing dated 08/12/2020, agrees to extend, by the maximum allowed
legally, the period initially set to present allegations and refers to the
claimed a copy of the administrative file. Notification of the writing and
delivery of the copy of the file was made by postal courier since the
The volume of the file makes it impossible to send it by electronic means. Work in
the procedure the proof of the MRW company proving that the documents
They were received by the respondent on 08/12/2020.
SEVENTH: Allegations to the initiation agreement: Brief of allegations.
On 08/19/2020 the brief of allegations to the
commencement agreement presented by the respondent requesting the issuance of
resolution declaring the nullity of the procedure.
In the alternative, that the filing of the procedure be agreed. And subsidiarily
Regarding the previous request, that a warning or warning be imposed or
that the amount of the sanction provided for in the agreement of
beginning.
He uses the following arguments in support of his claims:
The first allegation concerns the defenselessness generated to EQUIFAX as
consequence of having fixed in the agreement to open the procedure the amount
of the sanction instead of expressing in said agreement, only, the limits of the
possible sanction to impose. Other circumstances that in his opinion would have caused him
defenselessness, invalidating the procedure, are the following: not having had
the opportunity to state your opinion on the circumstances that could result
applicable to the case; the summary motivation of the aggravating circumstances that is made
in the initiation agreement and the one that has been substantially affected
instructor impartiality in clear break with the principle of phase separation
instructor and sanction.
The second allegation has the rubric “ Of the defenselessness of EQUIFAX due to the access
late to the administrative file and its content ”. In it he explains the
helplessness suffered as a result of having seen limited and reduced
ostensibly its ability to formulate allegations " complete and
informed ” . In this regard, it highlights two facts: the late delivery of the copy of the
file, which was transmitted on 08/12/2020, one business day before the
the ordinary period of ten business days will end, so that, although the Body
Sanctioner agreed to extend the term until 08/20/2020, the period of time in which
that has been able to access the documentation was only 6 business days.
Second, it highlights that the copy of the file suffers from various
defects that imply, at least, the need to “ proceed to the suppression of
a large part of the Background of the agreement itself ”. These deficiencies would be the
following: (i) The file forwarded refers to a limited number of the
claims that are mentioned in the commencement agreement, as there is no such
claim file or any document related to 43 claimants. (ii) It
include in the file, at least three claims that are not related to the
object of the file.
Regarding the claims that do appear in the documentation of the file
administrative authority that the AEPD sent her, the respondent draws the conclusion that these
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 52
52/184
are not related to the substantive issues contained in the foundations of the
initiation agreement “ since practically all of them referred to the exercise by the
interested parties of their rights of access and deletion ”Classify the claims
formulated, on which documentation was provided in the copy of the file that
was referred, in the following groups:
(i) Those in which the interested party exercises before the AEPD a right that has not
previously exercised before EQUIFAX. (ii) Those in which the claimant has
You requested the deletion of your FIJ data and EQUIFAX has responded to your request. (iii) AND
others in which the interested parties exercise their right of access before EQUIFAX, which is
attended, and without addressing EQUIFAX, they request the exercise of the right of deletion
directly before the AEPD “ alleging issues such as that the treatment is not
found based on their prior consent, that the collection of the
data from bulletins and official journals or even that the Administration author of the
publication expressed its disagreement with the very existence of the FIJ ”. A) Yes,
qualifies in bad faith the actions of the representative of several claimants who, with
regardless of whether the respondent had complied with the right of access exercised,
did not hesitate to refer a claim to the AEPD that had nothing to do with the right
initially exercised.
The entity concludes that of the 47 claims that appear in the file, it gave
full satisfaction of the right that the claimant exercised before her, although, in
On occasions, the interested party addressed a claim to the AEPD that was not related to
with what was requested before EQUIFAX.
The third claim deals with the pre-existing regulations to the RGPD and the actions of
the AEPD in relation to the FIJ. The defendant says that “[..] as recognized by the
Agreement itself, the material norms whose violation is attributed to my client do not
have varied in terms of their content as a consequence of the reform carried out by
the GDPR ”. Analyze the similarities and differences between the text of article 6.1.f) of the
RGPD and that of article 7.f) of Directive 95/46; indicates that the reasoning contained
in the recitals of the RGPD about the requirements of legitimate interest and how
carry out the necessary weighting to verify your application derives directly
of the jurisprudence emanating from the CJEU in its judgment of 10/24/2011 (matters
accumulated C-468/10 and C-469/10, Asnef, Fecemed) that declares the direct effect of the
Article 7.f) of Directive 95/46. It also refers to the Group's document
of Article 29 (hereinafter, GT29) “ Opinion 6/2014 on the concept of
legitimate interest of the data controller under article 7 of
Directive 95/46 / CE ”.
It considers that the data processing carried out by the FIJ was lawful in accordance with the
previous regulations and that “ based on the similarity, if not identity, between the
regulations previously in force and the collection in the text of the RGPD, it is necessary to have
taking into account that systems such as the FIJ were expressly recognized in the
Article 29.1 of the ”LOPD. "[...] that the alleged treatment carried out by me
principal [...] not only was not contrary, but expressly protected in the
regulatory framework in force prior to the entry into force of the RGPD [...] ” . He adds that the
normative framework has not been altered, but on the contrary reiterated, with the entry
in force of the RGPD.
Regarding the performance of the AEPD, he says that “ This lawfulness was not only known by
that AEPD, but that it came repeatedly to highlight it,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 53
53/184
dictating numerous resolutions in which he considered perfectly consistent with the
data protection regulations the behavior of Equifax ”in conducts
totally similar to those that are now the subject of the disciplinary proceedings. mentions
the resolutions issued in TD / 00724/2015 and TD / 02085/2016.
It indicates that the data processing carried out through the FIJ “has not only been
been carrying out during the validity of all the low data protection regulations
the sight, science and patience of the AEPD, but it has blessed in repeated
Sometimes the legality of said treatment is now anatemized by the own
institution". “ If this is the case and the AEPD declared the legality of a treatment that now
is considered radically contrary to data protection regulations, it would be possible
conclude, with the utmost respect, that this institution collaborated
necessarily in the perpetration of that radically illicit conduct with the
consequent damage to the fundamental right [...] that it has as its mission
essential to guarantee and protect ”.
Regarding the action of the AEPD after the entry into force of the RGPD, it states
that this Agency is perfectly aware of “ the existence of the
information similar to the FIJ ”since the Code of
Conduct presented by the Multisectoral Information Association (ASEDIE) to the
which belongs to EQUIFAX and whose first version was presented on 05/24/2018 and the last
in May 2020.
It invokes the bankruptcy of the principle of legitimate confidence in which the AEPD has incurred,
that he now considers illegal behaviors that he previously considered fully legal. Bankruptcy
of legitimate expectations would determine the absence of a culpable element in the
conduct of the claimed party, and consequently, proceed to file the
proceedings. Specifies that, this is so because, even when the change of criterion merges
In a normative change, the normative reform has left the precepts unchanged in
which previously the Agency founded the lawfulness of the FIJ. Consider that they are fulfilled
all the necessary requirements to assess the violation of the principle of trust
legitimate under the terms described in STS 02/22/2016 (appeal
1354/2014) It invokes the SAN of 02/04/2009 (resource 304/2007) which maintains that the
breach of the principle of legitimate expectations should lead to the nullity of the resolution
sanctioning object of the appeal.
It also denounces the disproportionate nature of the measures that the AEPD intends
adopt: “ excessive sanctions” and “completely irreversible ” measures. Y
explains that the imposition of a penalty in the amount set in the initiation agreement
of the procedure would imply that this company would exit the market “ for the benefit of
other competing companies that handle the same information ”. Draws attention
on the fact that the AEPD has decided to " adopt the most appropriate measures
severity provided for in the data protection regulations ”when the RGPD offers
control authorities a wide range of corrective measures (Article 58). To what
which adds that article 83 RGPD expressly provides, in the event of a breach
normative, the possibility of not imposing an administrative fine and sanctioning
any other corrective measures of article 58 RGPD.
The fourth claim is entitled "On the legal basis of the treatment of the FIJ" .
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 54
54/184
The claim refers, first of all, to the implications that derive from the
regulations for the reuse of public sector information, Law 37/2007, of 16
November, on the reuse of information from the Public Sector (LRISP) and indicates that “ the
sources from which you have collected the data to which the claims refer
formulated and, in general, the data incorporated into the FIJ, expressly enable the
reuse of said information ”. Therefore, it concludes, the aforementioned LRISP, without prejudice
of the application of its article 4.6, does not constitute an obstacle to the collection of
data that she carries out. Mention for this purpose the general conditions of reuse
of the BOE website and adds that, in the remaining sources used, the
conditions of each one allow reuse as long as the
current legislative framework and, in particular, the RGPD and the Intellectual Property Law.
It reiterates that there is a legal concept of public access sources -as
evidence, says the defendant, the mention made of them in the STJUE of
11/24/2011 and in the ASEDIE Code of Conduct project presented to the AEPD
in May 2020- which “ imply the possible knowledge and access by any
person to the information they contain and that the fact that this
information is available to anyone makes the data processing
that they could include affect the private and family life of the interested parties
those that the data refer to an enormously lower degree than would occur
when the data does not come from such sources, allowing the weighting
required by article 6.1.f) RGPD can operate more easily for the benefit of the
legitimate interest of the person in charge that treats this publicly accessible data ”.
On the principle of necessity, he shows his disapproval with the reference that the
starting agreement made to the STJUE of 12/16/2008 (case C-524/2016) and to the judgment
of the ECHR of 03/25/1983 and proposes, for the interpretation of the concept of necessity,
use the criterion followed by the TC to analyze the proportionality of a measure
restrictive of a fundamental right.
Regarding the requirements to apply the legal basis of article 6.1.f) RGPD,
In accordance with the doctrine of GT29 in Opinion 6/2014, it mentions the following:
1.Existence of a legitimate interest of the person in charge of the treatment or of any
third. 2. Compliance with the principle of necessity linked to the principle of
suitability. 3. The favorable result of the weighting. Only when it is worth considering
that the affectation of the rights of the interested parties is tolerable in view of the
result obtained by the treatment, it can be carried out. Then
comments on the characteristics of each of the terms of the weighting and the
factors that should be taken into account in the mandatory weighting.
Remember the link that exists between the concepts of purpose and legitimate interest and
criticizes the considerations that the initiation agreement makes on the basis of the comment
of Opinion 6/2014 of the GT29. He then goes on to describe the legitimate interest
satisfies with the treatment of the data carried out by the FIJ. Distinguish a double interest
legitimate: an interest linked to the assessment of the solvency of those affected - of which
would be EQUIFAX owners, the third parties who access the data and the borrowers and
consumers- and a legitimate interest linked to fraud prevention. Summons
legal norms, opinions, circulars and reports on which it considers is based
the legitimate interest that each one of them holds.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 55
55/184
It dedicates a section to “ the weighting of the prevalence of the legitimate interest in the
present case ”. It affirms that there are multiple elements that lead to conclude that
the “ legitimate interest of Equifax, its user companies and society itself in the
treatment of FIJ data prevails over the rights and interests of the
debtors to which the data refer ” . Mention for these purposes the following
elements:
to. That the LOPD included a rule that determined the prevalence of the aforementioned interest
legitimate, therefore, “ Article 29.1 of the aforementioned law expressly referred to the legality of the
data processing in these systems ” . And remember that, regarding the treatment of
that we refer to, there has not been a substantial change in the applicable regulations,
but rather that “the legal bases and principles applicable to the treatment remain
unalterable as a result of the entry into force of the RGPD ”.
b. The regulation of the LOPDGDD itself. In this sense, it indicates that the aforementioned Law
recognizes the prevalence of legitimate interest by establishing a presumption in favor of the
credit information systems and adds that in these systems " the legitimate interest
that justifies the treatment is identical to that pursued by the FIJ ” from which it concludes that
is an indication of the weighting in favor of the legitimate interest that we examine, “even
when there is no regulation in the new Law similar to the old article 29.1 of
the LOPD. " It goes on to affirm that “ the fact that the impact on the rights and
Interests of the interested parties as a result of the processing of their data in the FIJ
is substantially similar to the one generated by the processing of your data in the systems
credit information , with respect to which the prevalence of interest is presumed
legitimate, should be considered an obvious indication of the prevalence of interest
legitimate in this case. "
c. The jurisprudence of the CJEU, which is specified in the aforementioned STJUE of 11/24/2011.
d. The attitude of the AEPD, which, it says, has been “ until now recognizing the legality of
these systems without having carried out a request, warning or warning
one addressed to my client, as has been analyzed in the third claim of
this writing. " It also adds that through the draft Code of Conduct that
promoted by ASEDIE, the AEPD has learned that an examination of the
prevalence of the legitimate interest of the entities that manage these systems of
information.
In the opinion of the respondent, the evidence cited, together with the fact that
their understanding of the requirements established by the GT29 in its Opinion 6/2014,
sufficiently legitimate interest whose prevalence it defends. Therefore, it explains the
entity, continued with the treatment through the FIJ and considered unnecessary
an analysis of the specific legitimate interest for the FIJ, since “[...] the regulation itself
carry out the weighting of interests applicable to the treatment regulated in article 20
of the LOPDGDD was already sufficient to supply the adoption of this measure ”. AND
In order to reinforce his argument, he invokes the quote from article 35.10 of the RGPD: “[...] when the
treatment in accordance with article 6, paragraph 1, letters c) or e), has its basis
in Union law or in the law of the Member State that applies
to the person responsible for the treatment, such Law regulates the specific operation of
treatment or set of operations in question, and a
impact assessment relating to data protection as part of an assessment
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 56
56/184
of general impact in the context of the adoption of said legal basis, the
sections "
It states that in 2019 it prepared a " weighting report" in order to
“ Minimize the impact of treatment below the standards required by
treatment by adopting measures in addition to those that would be sufficient to
consider applicable the provisions of article 6.1.f of the RGPD. ”Specifies that some
of these measures have already been implemented, others are in the implementation phase and others
they are under development for future adoption. Between updates
that he claims to have entered is the “notification of inclusion of the data to
the interested parties , in the same terms established for the information systems
credit in article 20.1 c), second paragraph of the LOPDGDD ”since, it states, that the
approval of the LOPDGDD “ meant the disappearance of the exemption from the duty of
inform that the jurisprudence had already expressly recognized in relation to the
information systems contained in article 29.1 of the LOPD. "
Regarding the concurrence of " reasonable expectations of the interested party " it shows its
discrepancy with what is indicated in the initiation agreement and states that " the interested party not only
has the reasonable expectation that your data may be consulted, but that
reasonably expects to be fortunate that access to the
themselves so that whoever contracts with him does not have a real knowledge of his
patrimonial solvency and credit ”.
The last question commented on in the framework of its fourth claim - “ From the base
legal treatment of the FIJ ” - refers to the exercise by the interested parties of their
rights of deletion and opposition. In this sense, criticize the following paragraph included
in the inception agreement:
“There are very many communications that the complainants addressed to EQUIFAX
in which they requested the cancellation of their personal data. If it had been
consistent with the alleged legitimate interest in which, in his opinion, the
data processing carried out, EQUIFAX should have qualified those requests
as an exercise of the right of opposition ”.
The claimed claim states that such a surprising statement would lead, as the only
logical conclusion, to deprive the interested party of the possibility of exercising the right to
deletion in any manifestation of those provided for in article 17.1 of the RGPD
that differs from the right of opposition, thus forcing you to invoke the reasons
related to your particular situation that justify your request. Therefore, says the
entity, "having reached the conclusion that the right of deletion is not repealed
in the different modalities of the right of opposition ”, it complied with the
requirements established in the data protection regulations, so that “ when
the requests demanded the deletion on the mere basis that the interested party did not
had given his consent Equifax could not comply with the request, since
Said consent is not required in this case, as has been stated
repeatedly". “Similarly, when the alleged falsehood or
data inaccuracy, Equifax was merely complying with the requirements of the
data protection regulations when requesting the contribution by the applicant of
the information that proves the inaccuracy, given that, otherwise, proceeding
the data of an official newspaper, it was not possible without more to conclude in the illegality of the data ”.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 57
57/184
In the fifth allegation of the brief of allegations to the commencement agreement, “ On the
compliance by Equifax with the principle of data accuracy ”, reiterates, firstly
term, which, with respect to this principle, the RGPD has not introduced modifications in
relationship with what the Directive established, neither in the enunciation of the principle nor in its
consequences, and that the AEPD, until the publication of this initiation agreement,
“ At all times considered the FIJ fully respectful of the provisions of the
regulations for the protection of personal data, in which it already appeared clearly
the aforementioned principle of accuracy (articles 6.1.d) of the Directive and 4 d) of the
the LOPD) ” Therefore, it considers that the initiation agreement implies that the Agency has
adopted a “ new criterion ” which concludes that the action of the AEPD is
contrary to the principles of legal certainty and legitimate expectations.
It states that, since the data come from public sources, it should be presumed
its accuracy, so that no liability can be derived for EQUIFAX from the
inaccuracy of which they suffer or the absence of any of them in the source
original. He claims to have acted with full respect for the rules of reuse of the
information established in each case and having incorporated into the FIJ the data “as and
as they appear in the cited sources ”.
Insists that the data is collected in the terms in which it is published and
accessible by anyone and " to the extent that such publication allows
identify the interested party. ”“ Therefore, if any of the
mentioned data in the FIJ this is due [...] to the pure and simple fact that this
data is not included in the official gazette or in the edict from which the
information."
It considers article 4.2 fully applicable to the case. LOPDGDD, in particular the
section d), provision that provides:
"two. For the purposes provided in article 5.1.d) of Regulation (EU) 2016/679, it will not be
attributable to the person responsible for the treatment, provided that he has adopted all the
reasonable measures to remove or rectify without delay, the inaccuracy of
personal data, with respect to the purposes for which they are processed, when the data
inaccurate:
[...]
d) They were obtained from a public registry by the person in charge. "
It claims to have adopted the “ necessary measures to guarantee the accuracy of the
information collected ”, since, within a period of one month from the moment of the
collection of the information, proceeds to notify the interested party of its inclusion in the FIJ.
On the reversal of the burden of proof invoked in the initiation agreement, party to
its exposition of the assertion that the data that EQUIFAX obtains from the newsletters
and official newspapers enjoy a " presumption of accuracy " " given the very nature of the
source from which it is obtained ” . Therefore, such a presumption can only be destroyed if the
The interested party accredits the inaccuracy of the information or the source itself proceeds to
its rectification. Thus, the conclusion is that no reversal of the burden of the
proof exists, since the published information is accurate as long as it is not
prove otherwise.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 58
58/184
It also cites article 14 of the LOPDGDD that, on the occasion of the regulation of the
right of rectification states “ By exercising the right of rectification recognized in the
Article 16 of Regulation (EU) 2016/679, the affected party must indicate in their request to
what data it refers to and the correction to be made. It must accompany,
when necessary, the supporting documentation for the inaccuracy or character
incomplete of the data object of treatment.
Finally, it refers to the cases in which the interested party has requested
additional documentation to link with it the existence of a certain
edict publication. For example, he has asked the interested party to indicate the
possible addresses to which the publication of a
certain edict that affected him. In that regard, it says the following:
"This request, [...] is carried out, [...] but to guarantee full compliance and
exercise of their rights, in order to proceed to the suppression of any
data that should not appear included in the FIJ. " And he explains the following: "In this
In this sense, that AEPD is fully aware that, until the entry into force of the
LOPDGDD, the regime of editorial publications carried out by the different
bulletins, newspapers and bulletin boards from which Equifax lawfully collects the
information was characterized by dispersion, so that the scope of the data
published by each of them differed substantially, including some of them,
but not all, the identification document of the interested party or their address.
Thus, my client cannot be blamed for the fact that sometimes
identification data of the interested party are not linked to a document
identification, but rather that said absence of connection comes directly from the
source from which the data are collected, endowed with the presumption of accuracy to which
reference has been made repeatedly throughout this allegation. "
The sixth claim refers to the modifying circumstances of liability
in accordance with the initiation agreement. Exposes the entity that, assuming that
should it be appropriate to adopt “a coercive measure against Equifax ”, this should be limited to
In addition, to the warning and to the requirement to adopt the measures that the AEPD
deemed necessary. The defendant justifies this statement in the " qualified
mitigating factors "that in his opinion concur in the present case, to which is added" the
own conduct of the AEPD that would have generated in Equifax the full
conviction of the legality of the data processing in the FIJ ”.
It invokes the following as mitigations:
(i) That since the approval of the LOPDGDD and the RGPD measures have been implemented
“ Aimed at minimizing even more the impact that the treatment [...] could produce
in the private sphere of the interested parties ”. Refers to the measures provided for in the LIA
provided -examination of the prevailing legitimate interest- which it affirms are additional measures
that they would not in principle be necessary to achieve a favorable weighting. (ii) What
EQUIFAX has never been sanctioned by the AEPD in relation to the treatment
carried out by the FIJ. (iii) That it has repeatedly met the requirements or
Information requests from the AEPD. (iv) That as an entity associated with ASEDIE
it is automatically adhered to the Code of Conduct promoted by that association.
The claimed does not specify the precept of the RGPD in which the
mitigating factors that it invokes.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 59
59/184
On the other hand, in relation to the aggravations appreciated in the initiation agreement,
comments that “ It cannot be considered as fraudulent to carry out a conduct that
the AEPD itself had been recognizing it as lawful ”; that “it is not possible to appreciate the existence
of a lawful benefit ”in which it has obtained with a conduct that the AEPD was
knowledgeable ” as well as the circumstances surrounding the treatment. So what,
even less, can be considered a continuing infringement that "carried out with the approval
of the supervisory authority ”.
Provides, annexes to the brief of allegations to the initiation agreement, the documents
following:
-Copy of the Code of Conduct of ASEDIE, Infomediary Sector.
-LIA, Judicial File. Legal analysis. December 2019.
EIGHTH: Brief from the instructor addressed to the complained party: The copy of the file
administrative that was delivered was incomplete; delivery of a complete copy; new
deadline for allegations.
In writing signed by the instructor on 12/23/2020, notified electronically and
accepted by the claimed on the same date, it is brought to their knowledge that, a
After analyzing the documentation that makes up the copy of the electronic file that is
It was sent to you on 08/12/2020, it has been verified that the application did not get to dump it
all of the documentation that made up the electronic administrative file
that served as the basis for the preparation of the initiation agreement, so the copy that
then provided to EQUIFAX it was incomplete. The AEPD has implemented the
electronic file, in such a way that it is the application that generates
automatic copy of said file.
In addition, in the aforementioned brief, the respondent is informed that on that date the
proceeds to send you, through postal courier, an encrypted CD containing the copy
complete administrative file and you are provided with the password that will allow you to access the
CD content. In the letter it is also communicated to him, so that he can formulate
new allegations in view of the full file, the following:
“In order to guarantee that EQUIFAX can, once it has at its disposal
all the documentation that served as the basis for this Agency for the adoption of the agreement
initiation of the sanctioning file PS / 000240/2019, make the allegations and provide
the documentation that it deems pertinent, the investigator of the file will not proceed to
the opening of the trial phase until at least ten business days have elapsed
computed from the date of notification of this writing, if the notification were
after December 28, 2020. If the notification of this communication were
prior to December 28, the ten business days will be counted from that date, for
be on this date that, ultimately, the courier company has
guaranteed to deliver the shipment containing the CD with the
documentation alluded to. "
The documents provided by the courier company are in the file
MRW that certify that the shipment with reference 2625 / A014103, sent by the AEPD,
It was delivered to the recipient's post office on 12/24/2020.
NINTH: Complementary allegations or second allegations to the initiation agreement:
Request for extension of the term.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 60
60/184
On 12/28/2020 a letter from EQUIFAX has entered the AEPD in which
states that they have received in their offices on 12/28/2020 the encrypted CD that
contains the copy of the file and requests that the
period initially set in the letter dated 12/23/2020 to formulate the second
allegations and provide documents.
In writing, signed and notified electronically on 01/13/2021, accepted by the
claimed on 01/14/2021, the investigator of the file informs you that:
"Without prejudice to the provisions of article 76.1 of Law 39/2015, of the Procedure
Common Administration of Public Administrations (LPACAP), with the same
purpose of guaranteeing the legitimate right of defense of EQUIFAX that inspired the
writing that was sent to that entity by the investigator of the file on
12/23/2020, you are informed that the evidentiary phase of the
procedure until expired on 01/15/2021. "
TENTH: Complementary allegations of the claimed to the agreement to initiate the
proceedings. (I) Presentation of their allegations in the AEPD. (II) Allegations
complementary formulations.
I. On 01/20/2021 a " Receipt of presentation at the Registry office " is generated ,
issued by GEISER (Integrated Management of Registry Services), registration number
O00007128e2100001973, referring to the alleged presentation by the defendant of a
brief of complementary allegations to the PS / 240/2019, without with the aforementioned receipt
no writing or document will be attached .
The receipt issued by GEISER includes, among others, these indications: "Date
presentation: 01/20/2021 10:38:13 (peninsular time) ”; " Type of documentation:
Attached digitized documentation ”; "Interested: Equifax Ibérica, SL". Also, under
the heading " Registry Information " is indicated: " Type of subject: entry ";
" Summary / subject: Complementary allegations to PS 240/2020"; "Unit of
processing destination / Management Center: Data Inspection- XXXXXXXXX / Agency
Spanish Data Protection ”.
Given that with the presentation receipt of GEISER it did not enter the registry
of the AEPD or the aforementioned document, “ Complementary allegations to the PS
240/2019 ”, nor any other, on 01/21/2021, the examiner of the file, by means of
communication notified electronically to EQUIFAX, informs you of this incident and
that, having made the relevant technical checks, the IT services of
The Agency considered that the issuer of the shipment - the one claimed - did not go up to the
found no document or, if it did, made an error that determined that the
shipping out unfeasible.
Also on 01/21/2021 there is evidence of another " Receipt of presentation in
Registry Office ”, issued by GEISER, in which the filing date appears
on 01/20/2021 at 9:34:58 PM (Peninsular Time); the reference O00007128e2100002152
and as interested Equifax Ibérica, SL, in which it appears as " Summary / subject"
" Request for extension of the deadline for the presentation of evidence."
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 61
61/184
Given this fact - that on 01/21/2021 there were two GEISER entries from
EQUIFAX, referring to " Complementary allegations to PS / 240/2019 " and " Request
extension of the term to present evidence ”, with which neither the
document that the entity claimed to contribute or any other - and, since, according to the
information that our computer application offered us, the one claimed had not yet
accepted the electronic communication that was sent to him on 01/21/2021 for
inform you of what happened regarding the first entry, the instructor of the file
send an email to the EQUIFAX representative, at the email address
contained in the form used for the submission of documents relating to
this procedure, in which both incidents are brought to your attention.
The email sent on 01/21/2021 at 1:12 PM, has been incorporated into the
file through diligence of the instructor signed on 01/21/2021.
EQUIFAX responded to the email on 21/021/2021 at 8:48 p.m. and
explained that they had submitted electronically, again, the two documents,
Supplementary arguments to the initiation agreement and request for extension of the term
for the provision of evidence. On 01/22/2021 the
EQUIFAX documentation, which is communicated to the entity through another email
Instructor's email sent at 9:59 a.m. 01/24/2021 at 1:51 PM
the EQUIFAX representative sends an email stating that
have sent both letters again through the headquarters of the AEPD and attached the
supporting document. All these communications exchanged through email have been
incorporated into the file by means of a diligence signed by the instructor on
01/25/2021.
II. On 01/24/2021, the letter of
Complementary arguments to the agreement to initiate the sanctioning procedure
presented by the claimed.
In said letter, after requesting that “allegations be made in relation to
with the content of the administrative file of which he did not know until his
remission on December 28, 2020, and they must be considered
complementary to those formulated in its day to the Initiation Agreement ... ”, makes these
requests:
That the nullity of the procedure be declared for the reasons that
details in the first allegation of the brief of allegations; subsidiarily, the file
of the procedure and, in the alternative with respect to this last claim, the
imposition of a warning or warning or a significant reduction of the
amount of the fine established in the initiation agreement.
Also, as it did in its first brief of allegations to the commencement agreement, it requests
" [...] the opening, [...] of a trial period in which it can contribute to that AEPD the
documents that it considers necessary in case it does not
give truth to what is stated by my client in section 2 of the allegation
third of this writing. "
The arguments that he uses in support of his requests are structured in three
allegations:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 62
62/184
The first allegation has the heading “ Of the exceptional affectation of the right to
effective judicial protection derived from the situation that occurred in the file
administrative in the present proceeding ”. In this section he states that “ the
administrative file forwarded by the AEPD was, in the words of the
Control Authority itself, cut into no less than 1,345 pages ” and that it lacked
of information on said circumstance because, “having processed the same [the
file] by that AEPD without his knowledge ”, he had not been able to know the scope
real of the submitted administrative file . It highlights that, of the complainants "now
incorporated into the file ”, the AEPD had only transferred it, for the purposes
of articles 37 and 65.4 LOPDGDD, of three of them.
In this line of argument, he recalls that, in his allegations to the agreement to initiate
08/19/2020, requested “to limit the prosecution of this case to claims
actually pending in the administrative file, resulting in that said
file did not contain any information on 43 of the relationships
referred to the initiation agreement ”. However, more than four months after
formulate such allegations, the AEPD informs you that the file was
" Amputated" in more than 30 percent of its length; sends you a new copy of the
file and does not give you the possibility of alleging what is appropriate to your right,
"Limiting itself to agreeing on a delay in the beginning of the probationary period."
The defendant affirms that this way of acting is contrary to the regulatory regulations
of the administrative procedure, articles 65.2.f) LPACAP and 89.1 of the same text
legal, in respect of which he comments that “ the hearing process of the
interested parties and the right of the accused to formulate allegations, in view of the
administrative file, are configured as an essential guarantee of the
procedure, being the reflection in the administrative sanctioning procedure of the
Right to effective judicial protection that assists the accused. "
It concludes from the above that “the action of the AEPD in the present case, [...] supposes
an infringement of their right to defense, which makes the procedure incur in
the nullity defect established in article 47.1 e) of the LPACAP, given that it has
dispensed with a procedure as essential as that of hearing the accused in a
sanctioning procedure. And this vice cannot be remedied by the fact that my
principal issue these allegations. "
Regarding the alleged omission of the hearing process, he makes these considerations:
On the one hand, the principles applicable to the procedure have not been respected
sanctioner “as he was unable [...] to have a real knowledge of the file, except
with the scope of which you were notified prior to the formulation of your
allegations to the Initiation Agreement . " It explains that “ The AEPD affirms that said file
must be completed until the one that was the subject of referral and registration in the
offices of my client on December 26, 2021, despite the fact that said file
does not correspond to the one previously submitted for allegations, on the sole basis
to affirm, in the written notification to my client, that said file is the
complete and that must replace the previously notified. " That, “despite ignoring the
reasons why he was not referred at the appropriate time of the procedure the
complete administrative file, as it is recorded in a formal act issued by the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 63
63/184
instructor ”is not going to question such a statement. Add that we are in this
case "in the absence of more than 30 percent of the file and that" There is not even
correlation between the indices of the two files submitted. I mean, I don't just know
produces an addition of 1,435 pages to the file, but also that supplement
is interspersed throughout the procedure, making it even more difficult to properly
exercise by my principal of his right to defense. "
It points out that the violation that has occurred throughout the processing of this
procedure, “ is even more aggravated when in his brief of December 23,
2020, the AEPD not only does not grant any term to my client for the issuance of the
cited allegations, but rather more fully seems to grant it the
concession or grace consisting of delaying the initiation of the trial period for
within ten days from the delivery of the aforementioned "completed" file or
"Supplemented".
Through the second allegation of the brief of supplementary allegations to the
The initiation agreement is ratified in the allegations that he made in his brief of
allegations to the starting agreement of 08/19/2020. As for “ what constitutes the
merits ” of the sanctioning procedure, ratifies what is stated in the allegations
third to sixth of his brief and reiterates " the full legality" of his action in relation to
with the FIJ. He reiterates what was stated in his first allegations about "the scarce,
when not non-existent, link ” between the issues discussed in the
sanctioning procedure and the claims that were formulated.
The third allegation of the supplementary allegations brief is entitled
“ On the claims not incorporated into the file in its additional referral and
which are included in the nine version sent on December 26, 2020 ”.
It begins by stating that, in general, the claims incorporated in what is
that she calls " this new version of the administrative file" have
characteristics largely similar to those of the claims in the
copy of the file initially provided by the AEPD, but, unlike those,
In this group, it is exceptional that the AEPD transferred the claim to the
effects provided for in articles 37 and 65.4 LOPDGDD.
The complainant understands that the AEPD issued the admission agreements for processing without
know or assess any point related to the claim, except the reference
to the " treatment of data in the file of judicial and administrative incidents ", and
who decided to admit them for processing even when the documentation provided
by the claimants, it was inferred that the claims were formulated “ with respect to
requests that were still pending response by EQUIFAX, made
reference to the treatment of the claimants' data in files other than the FIJ or
that even [...] were not accompanied in some cases by the slightest
information regarding the formulation of such claims ”.
Regarding the period between the date on which the claim was filed before
the AEPD and the date on which the Agency agreed to its admission for processing highlights that
“It is extremely long, sometimes reaching a duration close to the
eighteen months".
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 64
64/184
It maintains that, from the content of the file, it is concluded that “ the AEPD considers that
Admission for processing is nothing more than a formality that must be fulfilled, regardless of
account for the legally foreseen term or for the mere presentation of a claim
when, probably, it has already been decided, without carrying out an inspection action
any, initiate a sanctioning procedure and with the sole objective of increasing even
plus the file. "
Next, the respondent analyzes the claims and groups them into the following
categories: A first group formed by the cases in which the entity responded to
the claims of the interested parties and, in addition, it proceeded to the deletion of the data
with respect to which the owner had exercised this right. It includes
the claimants identified with the numbers 22; 47; 48; fifty; 67; 80; 87 and 96.
Regarding this group of claims, he comments that “ in practically all of the
enumerated assumptions, the claims were formulated before the AEPD when
the period of one month legally established to give
response to the request of the claimant ”. And he adds that even in some case,
like that of claimant 87, the terms were not longer than one week. mentions
the case of claimant 80, in which the claim before the AEPD was formulated after
that the complained party had attended to the right of deletion, as a consequence of
have provided the documentation that accredited the payment of the debt included in the
FIJ, and in which the AEPD agreed to admit the claim for one year and two months
after the date it should have been, 06/11/2020, fifteen months
after the date of the claim and fourteen months after the response of the
claimed to the AEPD.
A second group made up of those claims in which the interested parties
exercised before the claimed the right of access to their data working in the FIJ, which
was attended by her in a timely manner, and, without having addressed a request to her in
In this sense, the interested parties complained to the AEPD “the lack of attention of the
right of deletion ”; right that either had not been exercised before the claimed
“ Either it was done simultaneously or even later before [the respondent], claiming
issues such as that the treatment was not based on its previous
consent, that the collection of data from newsletters and newspapers was not lawful
officials or even that the Authoring Administration of the publication expressed its
disagreement with the very existence of the FIJ. " Cite claims as an example
presented through the representation of Inzertia regarding the claimants 23;
24; 46; 47; 64; 66; 68; 69; 70; 71; 74; 79; 81; 82; 83 and 84. It also highlights that,
Regarding claimant 47, the data was deleted despite the fact that it was not
that's your initial request. And regarding claimant 80, despite having exercised the right
access, he was informed that there was no data in the FIJ.
A third group of claims that would include those in which the
interested parties exercised the rights of "access, rectification, cancellation and opposition ",
" Which makes the response from my client extremely complicated." In this
of course there would be the claimants 76; 85; 90; 91; 92; 93 and 94.
The defendant declares that, with respect to the claims framed in this
category, since the cancellation was requested, its origin was analyzed, but not
it was possible to grant it “by not providing information about the satisfaction of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 65
65/184
debt. "He says that it was not possible to attend to the request for opposition " by not
provide by the interested party any information about the special circumstances
derived from her personal situation that protected her. For this reason, it was requested in
in all cases, the provision of additional information. "
Another group would be made up of those claims in which the
claimed the deletion of a certain data included in the FIJ but in which the
The interested party did not provide the information to prove that the debt had been satisfied.
Claimants 21 would be in this case; 49; 73; 86 and 89. In addition, the entity indicates,
that “ these assumptions, as reasoned in the allegations to the Initiation Agreement, are
exercises of the right of deletion and not of the right of opposition, since what is
affirms is that the treatment is not lawful because the debt is paid (article
17.1 d) of the GDPR). " .
Finally, it refers to a group formed by various claims: That of the
claimant 78, of which it states that it does not refer at any time to the FIJ or the
reference to it can be found in the administrative file, so there is no
is related to the present proceeding. That of number 97, which was answered
informing that there was no data associated with his name, surname and document
identifying. Or that of claimant 95, who entered the AEPD on 05/06/2019 and did not
it was admitted for processing until 06/11/2020.
EQUIFAX maintains, after analyzing the 43 claims that "now appear in the
administrative file and of which this party was not aware ”, that his
action was respectful with data protection regulations and that, as already
stated in its allegations to the initial agreement, “it is not possible to appreciate the existence of
a real relationship between the claims made and the legal basis of the
I agree, appearing, with all due respect, that the aforementioned claims
rather they act as an excuse to justify the opening of a file of the
magnitude of the present that as the foundation of what he later considers
the sanctioning body attributable to my principal ”.
ELEVENTH: Test phase. (I) Opening of the test phase. (II) Notification to the
claimed and first request for evidence. (III) Request for extension of the term for
respond to the requested evidence. (IV). Respondent's response
I. In accordance with the provisions of article 77 of the LPACAP, on the date
01/19/2021 it is agreed to open in the sanctioning procedure a test phase for
a maximum period of fifteen business days. This is stated in the diligence signed in that
date on file.
II. In writing signed on 01/19/2021, electronically notified and accepted by the
claimed on 01/20/2021, you are notified of the opening of the test phase and the
evidentiary proceedings to be carried out.
In said letter it is also agreed to consider reproduced, for the purposes of evidence, (i) the
ninety-seven claims mentioned in the Background of the settlement agreement
of PS / 00240/2019 and its attached documentation; (ii) the documents generated and
obtained by the Inspection Sub-Directorate in the information request prior to the
admission for processing of claims and the corresponding admission agreements
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 66
66/184
processing of the aforementioned claims; (iii) the allegations to the agreement to initiate the
PS / 00240/2019 presented by EQUIFAX) and its attached documentation; (iv) the writing
that the instructor of the file addressed to EQUIFAX on 12/23/2020, communicating the
sending a full copy of the administrative file that served as the basis for the
opening of the sanctioning procedure; (v) the brief dated 12/28/2020 of
EQUIFAX, in which it requests the extension of the term for the second allegations to the
initiation agreement and (vi) the response brief from the instructor of the procedure that
The respondent was notified on 01/13/2021.
It is convenient to review here - even if this means altering the chronological order
followed in the account of the actions carried out - which, after the writing
notification of the opening of the test phase, through diligence dated
02/11/2021, the investigator of the file recorded that there were
incorporated into the procedure, for testing purposes, the second
allegations / allegations complementary to the one claimed to the initiation agreement, which
had entered this Agency on 01/24/2021. This was requested by the complainant in a
letter dated 02/09/2021 that was intended to request an extension of the term for
respond to the new evidence (additional evidence) that is given to you
required.
Well, in the written document signed on 01/19/2021 and notified to the complainant on
01/20/2021, you are required to provide the Agency with documentation and / or
following information:
"4.1. The copy of the record of the personal data processing activities,
provided for in article 30 of Regulation (EU) 2016/679, regarding the treatment
that EQUIFAX carries out through the File of Judicial Claims and
Public Organizations (hereinafter, FIJ). You must state in your
answer the date on which the activity record was prepared and provide the
initial version of the document together with any additions, modifications or
exclusion made on its content later.
4.2. In the event that EQUIFAX does not have a record of the activities of
treatment carried out through the FIJ, you must provide the following
information:
(i) The reasons why, in his opinion, the dispensation of the article is accepted
30.5 GDPR.
(ii) The information indicated in sections a) to g) of article 30.1 RGPD.
4.3. The copy of the impact assessment on the protection of personal data,
provided for in article 35 of the RGPD, relating to processing operations
that EQUIFAX carries out through the FIJ. You must provide the initial version of the
impact assessment and, where appropriate, details of the modifications or
updates that may have been made. In the event that
EQUIFAX does not have an impact assessment on data protection
personal data referred to in article 35.1 RGPD, which informs of the reasons
For which, in his opinion, the treatment carried out through the FIJ does not involve
a high risk and the arguments on which the non-application of the precept is based
of article 35.3. GDPR.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 67
67/184
4.4. Regarding the personal data processing operations that
EQUIFAX carries out through the FIJ, the weighting that on the interests in
game would have been carried out by the entity to conclude that the
interests or the fundamental rights and freedoms of the data subjects vis-à-vis
the interests pursued by that claimed entity or by a third party.
4.5 . The criterion or criteria that the FIJ uses to organize in its systems the
personal data object of treatment so that their holders are
duly identified. If such criterion had undergone variations since the
entry into operation of the FIJ, must report both the criteria
used initially and those adopted later, with an indication of
the date the variance was implemented. Your answer should be
properly documented.
4.6. Number of natural persons with respect to whom they existed in the FIJ
active data records. You must indicate the number of people affected by
the processing of your data through the FIJ during the last six years and
provide the information broken down by years.
4.7. The total global annual business volume of EQUIFAX IBÉRICA, SL,
during the financial year 2019. Your response must be duly
documented
4.8. The economic result obtained by EQUIFAX IBÉRICA, SL, derived,
exclusively, of the activity that it has developed through the FIJ. Shall
provide the information corresponding to the last six years, broken down by
annuity or, where appropriate, exercise. Your answer must be duly
documented.
4.9. Information on the number of associates that EQUIFAX has and has had for
receive information from the FIJ. You must provide the number of associates that the
entity had in each fiscal year during the last six years.
4.10. Identify the documents in which - according to statements by the
representative of the claimed made in the brief of allegations, folio 63- la
AEPD, with its action, “had unequivocally concluded the action of
EQUIFAX ”. This, without prejudice to the resolutions of Protection of rights to
referenced in the pleadings brief to the initiation agreement.
III. The complained party, by writing that has entry in the electronic headquarters of the
AEPD on 01/24/2021, requests that the period initially set be extended by five days
in order to respond. The instructor of the file, in writing signed on 01/25/2021,
communicates that the period initially set for
evacuate the process. The letter is electronically notified to the complainant on 01/25/2021
that you accept the notification on the same date.
IV. Respondent's response to the first requested evidence.
On 02/10/2021, the petitioner's written
response to the requested evidence with which it attaches nineteen documents.
It begins by invoking the “ confidentiality and business secrecy of documents
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 68
68/184
provided together with this document and requests that they be [...] treated without dissemination of
the elements that affect its business configuration or the secrecy of its performance
commercial and without them being used or disseminated ” . He cites for this purpose the
Law 1/2019, of February 20, on Business Secrets.
1.- To the question formulated in point 4.1., In which you were required to provide a
copy of the record of data processing activities (hereinafter, RAT)
personal information relating to the FIJ and was expressly requested to provide the date on which the
prepared the document, responds by providing five documents of which four
correspond to the initial version of the FIJ RAT and the fifth to the final version. Without
However, it does not report the date on which the initial version was produced and the version
final; This information is not offered in the written response to the tests.
requested nor does it appear in any of the five documents provided.
The initial version of the RAT is included in documents 1 to 4. All of them carry in
the first folio the legend “ Record of treatment activities. Article 30 GPDR. V
01 ". They have, respectively, this " Registry Name ":
" Downloading information from public sources"; "Generation and sending of files to
other platforms ”; "Integration of information in BD" and "Access to the judicial file"
.
The fifth document contains the final version. The first folio indicates: “ Registration of
Treatment Activities. Article 30 GPDR. V. Final ". “ Name of the Registry.
Download, generation and integration of information from public sources by
EQUIFAX and access to the file by clients ”. In the RAT, final version,
Section 3, “ Purposes of the treatment ”, the phases of the processing are shown schematically.
treatment and its purposes.
The first, the "information download", "in pdf format from the BOE page and
of the TGSS. The purpose of this activity is to generate the following files
main: BORME, Administrative Notifications, Claims and Judicial ".
Once the loading and updating of the information in Pick is finished, the lists are saved in
database (additions, modifications and deletions of records in Pick) that serve as a source
of information to other environments, platforms and products, guaranteeing the integrity
of the shared information. “ Once the files have been downloaded in the directories
corresponding data and having processed the information and prepared the
loading, the information is integrated into the database . " And finally,
“ Once the information is integrated, the entities that have contracted the service access (for
name and surname or DNI) to the Equifax database to be able to do the analysis
of solvency on the interested parties. "
Point 8 of the RAT, final version, which has the heading " Deadlines for deletion of the
information ”, it reads like this:“ The information is accessible for 3 months and then it is
saved in a Linux directory in order to be able to work later with the
data. Said information, saved in “PDF” format, will be available for a
period of 10 years from the date of publication, and this with the sole purpose of being able to
respond to possible claims and respond to requests for information
by the competent administrative body, as well as the courts and
courts. " In the initial version, document 4, there is a clause 8 identical to the one that
we have transcribed. (The underlining is ours)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 69
69/184
2.- To the question that was formulated in point 4.4., Regarding the weighting of the
interests and rights opposed in the data processing that the entity performs at
through the FIJ and in which it had concluded that the interests or
fundamental rights and freedoms of the data subjects vis-à-vis the interests
persecuted by her or by third parties, responds that she has already provided this document with the
allegations to the initial agreement but which, nevertheless, facilitates it again.
The document number 8 that for this purpose provides in this process - “ LIA Judicial File.
Legal Analysis. December 2019 ”- it is the same that he sent to the AEPD as an annex to
the allegations to the agreement to initiate the sanctioning procedure. In their
allegations to the commencement agreement and in its response to the test procedure the claimed
has warned of the confidential nature of the documentation and, what is more, the document
number 8 bears the indication “ Internal use only ” on its first page .
The Document called LIA Judicial File, very extensive and whose content
It consists, in essence, in a reiteration of the arguments put forward by the
claimed in its pleadings; in reflections on the action that would be
It is desirable that the AEPD adopt in this matter and in the description of the measures
plan to adopt, but without specifying the dates, it is structured in the
following sections from which we extract the most relevant content:
1. Scope of this report. Indicates that the purpose is to determine whether the treatment
carried out as a result of the capture of public access sources would be
legitimized in accordance with the personal data protection regulations.
2. Regulatory evolution in Spain of sources accessible to the public and evaluation of
solvency. Organic Law 5/1992, of October 29, regulating
the automated processing of personal data (LORTAD); the law
Organic 15/1999, on the protection of personal data (LOPD), in particular
articles 3.j; 6.2 .; 28 and 29.1 and the Development Regulation of the LOPD, approved
by Royal Decree 1720/2007 (RLOPD). It alludes to the GDPR and the fact that the
The term public access sources appears only in Recital 61 and in
article 14.2.f. Cite Organic Law 3/2018, of December 5, on Data Protection
and Guarantee of digital rights (LOPDGDD) and refers in particular to the
articles 11.3.b) and article 4.2.d)
3.General considerations on the legitimate interest as a legitimate cause of the
treatment of personal data. It indicates that this legal basis of the treatment does not
allows to provide a documentary justification for which it will be necessary to adopt the
measures aimed at proving their attendance. This requires proper analysis
of the requirements demanded in the precept to be able to conclude that an operation of
treatment is covered by it. Mention here the Opinion 6/2014 of the WG29 and the
methodology that describes to verify the origin of the application of the database
provided for in article 7.f) of the Directive as well as the STJUE of 11/24/2011.
4.Concurrence of the prevailing legitimate interest in the treatment of the information of
public access sources. In the analysis it distinguishes: 1. The legitimate interest of Equifax; two.
The legitimate interest of the credit system; 3. The legitimate interest of the insurance sector; Y
4. The legitimate interest of the insurance sector for the prevention of fraud.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 70
70/184
Regarding section 1, (the legitimate interest of EQUIFAX) it says that the RGPD does not
contains a provision such as article 29.1 of the LOPD on which, it says, “ legitimized
the credit bureaus to the treatment of personal data obtained from records
and sources accessible to the public ”. He adds that the fact of not having these defined
concepts (that of publicly accessible sources) “by itself would not simply exclude the
legality of the processing of data from these sources, and in particular from the
Official Gazettes and Newspapers, taking into account their universal accessibility by
any person, although the presumption of prevalence of the
legitimate interest established by the previous regulations. " and cites in support of his thesis the
judgment of the CJEU of October 24, 2011, paragraphs 44 and 45:
Regarding judicial notifications, it indicates that Equifax only integrates in its
judicial information files procedures processed by the Courts of
First Instance, First Instance and Instruction (excluding in any case the
trials of misdemeanors), of the Mercantile and the Social. In this way, the
processing of data related to criminal jurisdiction.
Regarding administrative offenses, the RGPD does not contain a provision
with respect to them, so it does not establish any limitation or specialty in relation to
with your treatment. However, the first two paragraphs of article 27 of the
LOPDGDD establish a special regime for this type of treatment, although,
judgment of the claimed, the precept is exceeded in relation to the powers that
the GDPR recognizes Member States. Then add:
“ Given this situation and, specifically, taking as an interpretive criterion the Judgment
of the Superior Court of Justice of the European Union, (Second Chamber) of May 4
of 2017, we consider that the AEPD should follow the same line
interpretative than that followed by jurisprudence, insofar as the data
manifestly public or from public sources should be framed within the
legitimate interest in its subsequent use, when the purpose pursued is to provide
the operators in the market the most reliable information possible in order to assist the
correct functioning of the market in our country, because in this case there is no
They would be violating fundamental rights, as is the case with the SICs of art.
20 LOPDGDD (purpose and corporate purpose of Equifax in both treatments) ”. (The
underlined is ours)
Remember the general conditions of reuse of the BOE website and that
Equifax extracts from it information related to liens, auctions, claims
administrative, published by the General Treasury of Social Security and the
Agency
Understand that there may be a reasonable expectation, on the part of the interested parties
(whose data have been published in the BOE, BORME or TGSS) of use of your data
for the purpose of evaluating your solvency in a credit application, when
Previously, you have proceeded to claim the payment of a tax debt or the
Social Security that is still pending payment, the purpose for which, said data,
they would be integrated into the Equifax Judicial file.
He concludes by saying: “we consider that the legitimate interest of
Equifax in the treatment of such information for the purpose of judging the solvency of the
potential borrowers, prevent fraud in the contracting of financial products and
insurance company, whose data on debt with public administrations appear in
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 71
71/184
sources accessible to the public whose information is expected to be reused. " (The
underlined is ours)
5. Refers to the " suitability " and " necessity " of the treatment of information from sources
of public access for the fulfillment of the legitimate interest. They are collected in this
epigraph the following considerations:
“ Regarding the suitability of access to information from sources of access
public for the achievement of the purposes that have been described in the previous section and,
consequently, for the satisfaction of the legitimate interest pursued by the entity
manager of the system, the entities participating in it and the
consumers in their capacity as potential beneficiaries of the financing, it has already been
indicated that the knowledge of delinquency information from sources
such as the BOE or the page of the Social Security Treasury is a measure
ideal for the achievement of the objective pursued. "
6. Impact of the treatment of sources accessible to the public on the rights and
freedoms of those affected.
It says that the processing of data related to the downloading of judicial information
such as (CIF / NIF / NIE, name of the defendants / bankrupt and
plaintiffs, addresses, amounts of seized personal property, names and
bankruptcy administrator's email, social security number, name and address to whom
claims the debt) implies an affectation to the privacy of consumers.
However, the fact that this limitation occurs would not impose
necessarily a weighting of the aforementioned right on the legitimate interests that
have been described as long as the due guarantees are adopted that
allow the legitimate interest to prevail over the limitation of privacy that
involves treatment.
And he warns: " In any case, it should be taken into account that the treatment being
making reference does not affect more than breaches of obligations
money, financial or credit of the applicant for credit or insurance, as happens
with the SIC of art. 20 of the LOPDGDD. This means that the system in no
case is intended to disclose additional information that refers to said
subject or other data other than those published by public access sources.
Therefore, the level of interference of the treatment in the private sphere of the affected
should be modulated taking into account this objective condition and the fact that it is not revealed
additional information to the credit default situation of the interested party. "
7. Operation of EQUIFAX files with information obtained from sources
public access.
At this point in the document it is indicated: “ Through the process of Loads of
Judicial and BORME information, it is possible to import information that is very useful for
Equifax on natural and legal persons that is published in free access media
such as the BOE or the page of the Social Security Treasury.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 72
72/184
The database in which this information is integrated and consolidated is managed by
the Operations area and is called Pick It should be noted that there are additionally
enrichment processes of the data contained in Pick by importing
of files from information providers and other public sources.
(The underlining is ours)
From this Pick database, the information is exploited to generate products for
Equifax customers and is also used to feed through files other
company databases and platforms: Host (IT), EDEN (UK), SAS (D&A) and
Oracle.
The document includes a table that “ describes the complete flow of the process,
starting with downloading and obtaining information from external sources,
continuing with the treatment of this information and ending with the load or
integration in the Pick database, generating the files: BORME, Notifications
Administrative (Pre-judicial), Claims and Judicial. The result obtained is
a complete and complete Pick database with quality information and that serves the
source data for many Equifax products and processes. It is important
know that the key field of the records contained in Pick is the identifier of
person (physical or legal). This identifier can be the CIF, NIF, NIE, Number of the
Social Security or a provisional number assigned to you. This identifier is
relates to the rest of the registry information, each data being associated
directly to the data source from which it was obtained . " (The underlining is ours)
The products that are currently generated with this information are the following:
Judicial Consultations (Batch); Consult Bankruptcy Situations (Batch); Queries
File ASNEF Companies by Third Parties (Batch); Consultations File ASNEF Companies
(Online); Consultations File ASNEF Companies (Online) Resellers; Queries
Judicial APPC (Online); Judicial Consultations (Online); ID Verifier; ; IdentityRisk;
Reputational Risk Monitoring; Active companies enrichment; Collection Matrix;
Proactive alerts for ASNEF Companies; SVCNM ASNEF Companies; Daily alerts
Bankruptcy; Judicial Alerts.
7.1. Downloading and obtaining data from external sources and processing of files.
It is the process by which Equifax downloads and obtains all the necessary information
to incorporate into the Pick database. In the table in Annex I that includes the
document describes, among other issues, the main data obtained, the
data sources and the download website so that, later, it can be carried out
correctly its integration in the Pick database.
The files that are downloaded automatically are initially stored in the
Directories on the production machine and those downloaded manually are
initially downloaded to a network repository that is the same as the one where
they deposit the downloaded files automatically already processed. " IT generates backups
of this network directory, but the original files will be kept according to the
retention periods defined according to GDPR. This solves the problem
access to historical information since according to regulations the files can only be
be in BOE for your consultation for 3 months. "
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 73
73/184
7.2. Recording criteria for defendants, plaintiffs or debtors.
Every record that is going to be integrated into the database must comply with the
following requirements, distinguishing between natural and legal persons. Regarding
natural persons: It must be a person who can be reached, by full name or by
full address, we will have to take into account several concepts
•
When only DNI / NIE appears, we will check the database. On
If you have a history of this DNI / NIE, we can incorporate it, otherwise
we cannot incorporate it.
•
If the name and surname with full address were published
we would search the database, in the event that all the data matched the
we would select, otherwise we would assign it a provisional number.
•
If the name and surname appear published but without address and without DNI / NIE
we could not integrate them.
•
If the initials of the name and surname appear published, or simply a
surname or a name (a word) we could not integrate it.
Next, the document jumps from point "7" to point "IV" which is headed
" Description of the guarantees and rules of operation of the file of
judicial information ”.
In this section IV it indicates that, “ Once the existence of a legitimate interest
sufficient that it could be considered as a legal basis for the treatment ” and having
keep in mind that this treatment implies a limitation of the right to privacy of the
affected, the “ guarantees that the system is going to establish in order to reinforce the
protection of the rights of the interested party ” following constitutional jurisprudence
cited. And adds:
“ At this point, it should be indicated that, as has been said previously, the forecasts
enabling legal systems to create these systems would allow the same
could be considered covered by the rule of article 6.1 f) of the RGPD through the
compliance with guarantees merely equivalent to those required for the systems
of credit information regulated by the LOPDGDD . " The document does not specify the
date on which these guarantees are to be adopted.
1. Guarantee of data protection principles:
1.1 Principle of purpose
It indicates among other things: “On the other hand, the principle of finality includes the limitation
of the subsequent uses of the data, since the RGPD prohibits in its article 5.1 a)
the subsequent processing of the data for purposes incompatible with those that motivated its
collection, although it exempts from this limitation the use of data for archiving purposes
public interest or scientific or statistical research.
The statistical treatment of the data contained in the file, once there is
after the period that is set for its conservation, to which we subsequently
we will refer, it is undoubtedly useful to have an adequate knowledge of the
behavior of society in relation to credit, being able to analyze the
evolution of citizens' habits in this matter or of the level of
indebtedness, particularly if it is confronted with the evolution of the economic cycle.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 74
74/184
For this reason, Equifax anticipates further use of the data for statistical purposes. Not
However, in order to fully guarantee the rights of those affected, so that
the information cannot be associated with identified or identifiable persons, will submit
that data to an aggregation process, so that the data can no longer
singled out for a given subject. In addition, this operation will be developed
with a minimum level of aggregation of twenty subjects per category, so that no
Nor can it be inferred from the aggregated data the singularization of the
affected. Therefore, although it could be possible to use the data, even
pseudonymised, for statistical purposes, only that prior use will be carried out
aggregation of the same, so as to prevent their singularization in the future. "
1.2 Principle of minimization.
The full guarantee of the principle of minimization is intended, so that the systems
do not include any information that is not absolutely essential for
being able to assess the solvency of customers. The data whose inclusion in the system
would be essential for the proper fulfillment of the purpose thereof, without
incorporate any other additional information, even if it could be
relevant for the achievement of said purpose, are those that appear in Annex I as data of.
"source".
1.3 Conservation principle
It considers that the term of five years, counted from the expiration date of the
corresponding period is adequate for the purpose pursued by the file of
judicial information, also taking into account that this is the period set out in the
Article 20.1 d) of the LOPDGDD.
1.4. Accuracy principle
In compliance with this principle and given that the edict publication only
recognizes the existence of the obligation to pay what is owed, but there is no
of additional information that allows knowing effectively if that amount is
owed at the time of listing notification, a possible solution to this
The problem would be the limitation of very short deadlines referring to the aforementioned
communications, and in the analyzed system this requirement is met, by reducing the
deadline for publications that have occurred in the last five months. However, this
reduction does not allow the risk derived from the treatment of
these data, being able to see the qualification of an interested party negatively by the
fact of incorporating an edict notice referring to a debt already paid from the
In the same way that the subject who had been subjected to it could be favorably affected.
made a notification with an antiquity of more than five months and there was no
proceeded to pay the amount owed.
1.5 Guarantee of the Principles of purpose and minimization in access to the file.
Enabling assumptions and uses of the data. Data that can be accessed.
The application of the principles of purpose and minimization will be reinforced as soon as
access to data with the application of the following guarantees:
- Only entities that maintain an account with their clients will be able to access the data.
relationship that determines the inclusion of your data in a SIC or to which those affected
have requested the conclusion of a contract whose execution would determine the inclusion
of such data.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 75
75/184
- Measures will be adopted to punish or even expel from the system the
entities that carry out unauthorized access to data.
- The data related to the previous consultations of the file, which will not include the entity
that had accessed it will only refer to the accesses produced in
the last six months.
In any case, the entities could not use the information collected from the
public sources in order to know the operation of the sector nor
in order to send any type of commercial offer to those who do not have the condition
of clients of the same.
2. Transparency and information to interested parties
In the cases of processing based on the prevailing legitimate interest,
reinforce the mechanisms of information to the interested party about the treatment of
data, in the terms established in article 14 of the RGPD.
2.1 Information after the collection of data from public sources
Equifax must inform the interested party about the inclusion of their data in the file.
in compliance with art. 14 of the GDPR: It will be up to Equifax to prove the
compliance with the duty to inform, regardless of the means used for it.
It says that the data contained in the public sources file will not be accessible
by the adhered entities as long as the term of thirty
days established for SICs in art. 20 LOPDGDD. In addition, the information referred
the notification made is incorporated into the database of notifications, in order to
prove its compliance with the AEPD.
The data referring to the cases in which there has been
The notification has been returned for reasons other than its rejection, unless
that it had been sent to the debtor's contractual address and the debtor appeared as
unknown, in accordance with the provisions of article 4.2 d) of the LOPDGDD,
according to which: "For the purposes provided for in article 5.1.d) of Regulation (EU)
2016/679, will not be attributable to the person responsible for the treatment, as long as he has
taken all reasonable measures so that they are suppressed or rectified without
delay, the inaccuracy of personal data, with respect to the purposes for which
are processed, when inaccurate data:
d ) They were obtained from a public registry by the person in charge ”.
In this way, sufficient guarantees are established to determine that there is no
risk in the treatment of this information.
2.2 Material impossibility of information in case of not having the address of the interested party
There are cases in which the information published in publicly accessible sources
does not include a postal address to which to make the notification of inclusion in
the terms of art. 14 GDPR.
In these cases, and following the Working Group interpretations of Article 29,
in the Transparency Guide under the RGPD regulatory regime, of 11/29/2017,
revised and adopted on 04/11/2018, it is limited to transcribing the following:
“ 59. The situation in which it is" impossible "under Article 14.5 (b) to provide
information is an all or nothing situation because something is impossible or it is not; Not
there are degrees of impossibility. Therefore, if a controller seeks
relying on this exemption, you must show the reasons that actually prevent you
provide the information in question to interested parties. Yes, after a certain
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 76
76/184
period of time, the reasons that caused the "impossibility" no longer exist and is
possible to provide the information to the interested parties, then the person responsible for the
treatment should be done immediately. In practice, there will be very few
situations in which a controller can demonstrate that in
In reality it is impossible to provide the information to the interested parties.
3. Rights of those affected
Specific protocols are envisaged to address the rights of articles 15 to 22
of the RGPD, whose requests, in general, will be attended within the period of
fifteen business days from receipt by the person responsible for the file.
3.1 Remote and permanent access to system information
3.2 Rights of rectification, deletion and limitation of treatment
a) Rectification The request for rectification must indicate the data that is erroneous and the
correction to be made and must be accompanied by documentation
justification of the requested rectification.
b) Deletion The interested party may exercise the right of deletion with respect to the
data that should not appear in the system, either because they do not correspond to the
reality, either as a consequence of the expiration of the conservation period to which the
has been referenced in a previous place. When the right of deletion entails the
Exercise of the right of opposition will be as indicated in section 3.3 below.
c) Limitation of treatment. Article 18 of the RGPD lists the assumptions
legitimating the exercise of the right to limit the treatment. result
especially relevant those related to the cases in which the affected party
exercise the right as a consequence of the invocation of letters a), b) and c) of the
article 18.1; that is, when “the interested party disputes the accuracy of the data
personal, for a period that allows the controller to verify the accuracy of the
themselves ", when" the treatment is illegal and the interested party opposes the deletion of
personal data and request instead the limitation of its use "or when" the
responsible no longer needs the personal data for the purposes of the treatment, but the
interested party needs them for the formulation, exercise or defense of
claims ”.
In these cases, the problem arises that the exercise of the right at the time
immediately prior to the request for a financial credit operation could
imply that the query of the system produced an image of the interested party not adjusted to
reality, subtracting from said image certain data that were being
object of assessment and, during that period, have their limited treatment.
It foresees that in the files of public sources a rule equivalent to the one
provided for in article 20.1.e) of the LOPDGDD, in order to guarantee the adequate
fulfillment by them of the purpose that justifies the treatment of the
information and ensure the accuracy of inquiries, but internally at Equifax we
poses within a phase II of development.
of limitation of the treatment when invoking the inaccuracy or non-existence of the data or its
illicit treatment, it will be treated as a cancellation proceeding to the erasure of the data in the
system.
3.3 Right of opposition. In order to protect and be a guarantee with the consumer
invoking your right to object by being included in a database whose
information has been obtained from a public source, interested parties may exercise their
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 77
77/184
right of opposition to appear in the Judicial file at your simple request, without the need
to require you to justify said request with specific reasons , except for proof of your
identity or current payment certificates in AEAT or SS. In this case,
will proceed to the exclusion of all your data from the file automatically.
3.4 Automated personal decisions and information to those affected
Article 22 of the RGPD recognizes the right of the affected person not to be subject to a
decision based solely on the automated processing of your data, including the
profiling, which produces legal effects or significantly affects you
similarly. The document says that the adoption by the entities will not be possible
adhered to the SIC of an automated personal decision regarding the hiring of
a consumer financial product requested by the interested party, the information being
contained in the public sources file only one of the elements to be taken
in consideration for the adoption of the final decision about said hiring.
4. Active liability measures
4.1 Technical and organizational measures and data protection officer
4.2 Requirements for access: limitation, traceability and security
4.3. Audit of the entities participating in the system
4.4 Reaction to security breaches
8. List of additional guarantees to be adopted after the RGPD and the LOPDGDD.
Provides for the implementation of the following guarantees, in addition to those established in the
data protection regulations, in order to guarantee an adequate weighting of
the rights and interests of those affected with the legitimate interest that justifies the
existence of these Files.
 The files will only incorporate the minimum data necessary for the
identification of the interested parties (DNI / NIF, name and surname, address) and their
Posted associated debts (eg, repossession cases).

In the process of Judicial and BORME information uploads,
temporary files in Pick that will only be kept for 15 days.

Data capture in accordance with the publication criteria of the Provision
Additional 7th of the LOPDGDD and its interpretation by the AEPD, with the
additional guarantee of not capturing asterisked data.
 Only the name and surname data of an interested party will be captured when the
They are accompanied by a postal address and / or complete ID.
 Quality control in the capture and subsequent inclusion of all addresses
Postcards published, relating to the interested parties, prior to loading
in the Judicial DB.
 Information will only be kept regarding non-compliances, produced in
the last 5 years (by analogy with negative, as regulated in art.
29.1 of the LOPD adapted to the current term of art. 20.1 d) of the LOPDGDD of
five years).
 Once the aforementioned deadlines have been met, the entity that manages the file
You can only keep the data for statistical purposes and exclusively
if it proceeds to a previous data aggregation process, so that the
They cannot refer to a group of people of less than twenty.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 78
78/184
 Interested parties are always informed about the inclusion of their data in
the Judicial File at the time of the same by sending a letter
informative that meets all the requirements of art. 14 GDPR, specifically in
compliance with art. 14.2 f) of said standard.
 Management of returned letters: The letters
whose reason for return is: "rejection by the consumer" or
"a stranger". (document accrediting the protocol that is followed is attached,
auditable and traceable).
 Data blocking: Data will remain blocked for thirty
days following the inclusion of the debt in the Judicial file, after said
term the data may be visible by all consulting entities.
 The system will have specific protocols aimed at attending to
the rights enshrined in articles 15 to 22 of the RGPD. With personality
In general, these requests will be answered within a period of fifteen business days.
from its reception by the person responsible for the file (Equifax Ibérica, SL).
 In order to strengthen the right of access, Equifax will establish a mechanism for
remote, direct and secure access to the personal data incorporated in the
itself, thus guaranteeing its permanent access by the interested parties. In case
of exercise by an interested party of their right of access, the person responsible for the
file will refer you to the aforementioned system, thus accepting your
request.
 The interested party may, without prejudice to the foregoing, freely exercise their
right of access to the data contained in the system maximum 5 times per
month, being provided by the person responsible for the file a copy of the data
incorporated into it. In case of exercise of the right in more than one
occasion must proceed to the payment of a fee oriented to costs that in
no case will exceed five euros.
 The interested party may exercise the right of rectification before the entity
responsible for the file. These rights will be taken care of in a maximum period
fifteen days.
 When the right of limitation of the treatment is exercised when invoking the
inaccuracy or non-existence of the data or its illicit treatment, it will be treated the same as
a cancellation or deletion of data, that is, it will be a cancellation, with indication
the reason for the cancellation.
 Interested parties may exercise their right of opposition to appear in the file
Judicial at the simple request of the consumer without the need to demand that
justify your request with specific reasons unless proof of identity
or certificates of current of payment in AEAT or SS. In this case, proceed
to the exclusion of all your data from the file automatically.
 In no case will the adoption by the consulting entities of the
Judicial file of an automated personal decision regarding the
contracting a financial credit product requested by the interested party,
being the information contained in the judicial file only one of the
elements to be taken into consideration for the adoption of the final decision
about said contracting, unless the consent of the
interested. In any case, the interested party will be informed if the information contained
in the judicial file it has been taken into account for the denial of the loan
or credit.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 79
79/184

A prior evaluation of the impact on data protection will be carried out in the
terms established in article 35 of the RGPD.
 In accordance with article 34.1 j) of the LOPDGDD, the responsible entity
of the common system will have a Data Protection Delegate

The staff of the member entities with access to the information will be limited
of the file,
 The system will guarantee
 the traceability of the accesses to it, producing the exchange of the
data through secure protocols that prevent access by third parties
during your communication.
 Equifax will periodically audit, through sampling techniques, the
access to the system, collecting when necessary the information that
accredit the legality of the same and in particular the use of the data for the
exclusive solvency assessment purposes that justify access to the
file.
 A response protocol will be adopted in the event of security breaches that
guarantee its immediate communication to the AEPD and, when appropriate, to the
interested.
Annex I to the document:
The information that appears in the columns with these is reproduced below.
headings: "Type of information" and the correlative of the columns " Data source " and
" Download website ".
1.Administrative Notifications of the AEAT (Pre-judicial). Data source: BOE.
Download website: Daily BOE Notifications supplement ->
2. Administrative Notifications of the AEAT (Judicial) Data source: BOE. Web
Download: Daily BOE Notifications Supplement ->
3. Administration of Justice. Courts of 1st Instance and Instruction and Courts of the
Commercial (Judicial-Contests) Data source: BOE. Download website:
Provisions and Announcements of the daily BOE -> Section IV. Justice administration
4.Administration of Justice. Social Courts (Judicial) Data source: BOE.
Download website: Dispositions and Announcements of the daily BOE -> Section IV.
Justice administration
5. Administrative Notifications of the TGSS (judicial) Data source: BOE. Web
Download: Daily BOE Notifications Supplement ->
6. Administrative Notifications of the TGSS (claims) (Last day that there was
publications in the BOE was on May 24, 2019) Data source: BOE. Web of
download: Daily BOE Notifications Supplement ->
7.Administrative Notifications of the Autonomous Communities Data source:
BOE. Download website: Daily BOE Notifications supplement ->
8. I. Registered Acts (Judicial-Contests) Data source: BORME. Web of
download: from the daily boe / Borme
9. Section I. Registered Acts Data source: BORME. Download website: boe / Borme
daily
10. Administration of Justice. Courts of 1st Instance and Instruction and Courts of
Lo Mercantil (Judicial-Bankruptcies) Source: BOCAM or BOP. Download website: boe.
Autonomous Bulletins and Provincial Bulletins
11.Administration of Justice. Social Courts (Judicial) Data source:
BOCAM or BOP. Download website: boe. Autonomous Bulletins and Provincial Bulletins.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 80
80/184
12. Administrative Notifications of the Autonomous Communities (judicial) Source
data: BOCAM or BOP. Download website: boe. Autonomous Newsletters and Bulletins
Provincial.
13. TGSS Notification Announcements (judicial) Data source: TGSS. Web
Download: sede.seg-social.gob.es Notice Board (TANUSS)
14. SECTION I - Bankruptcy Edicts: www.publicidadconcursal.es (Judicial-
Contests) SECTION II - Registration Publicity (Judicial-Contests) SECTION III -
Agreements Data source: Public bankruptcy registry. Download website:
www.publicidadconcursal.es
4.- The question formulated in point 4.5 of the brief requesting evidence was about
the criteria that the FIJ uses to organize personal data in its systems
treated so that their holders are duly identified. I know
requested information on both the criteria used initially and the changes
adopted with indication of dates .
The defendant explains that the integration criteria in the FIJ of the data it captures
referring to natural persons is a function of the sources from which they come
since, he says, “ The way in which the different public bodies have come
publishing the information, it has varied over time ”, so it has had to
adapt to such changes, “ in order that the holders may be due and
unequivocally identified . " He adds that the last variation in the form of
Publication of the data derives from the seventh additional provision of the LOPDGDD.
It should be noted that the respondent has not provided the information that was requested,
referring to the dates on which the different criteria were adopted. Offers us the
following information without specifying on what date you implemented these criteria:
a) If only the NIF / NIE is published: then “it is verified whether on the date of
publication, the NIF / NIE in question, is registered in the active information
of the FIJ (excluding therefore the one that is blocked). Depending on the result
obtained, different actions are carried out : "
a´) If the identifier is already included in the FIJ associated with a name and surname,
registers in the FIJ the new published information.
a´´) If that identifier is not included in the FIJ, the recording of the registry is discarded .
b) In the event that the name and surname and incomplete NIF / CIF are published:
d saves the recording of the data in the FIX file.
c) Cases in which name + surname + address is published: It proceeds
to the recording of the record in the FIJ file, associating both data.
d) Cases in which only name + surname appears published: In this
Of course, the recording of the data in the FIJ file is discarded .
And he added: “ Consequently, it can be concluded from what has been described that only
those notifications that either contain the name and
surnames associated either with a complete DNI or NIF (which no longer happens as
consequence of the application of the seventh AD of the LOPDGDD), or to a
determined address. Outside of these cases, only those
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 81
81/184
data in the event that the information referring to a DNI is already in it
complete and associated with its owner. "
4.- The question in point 4.6. dealt with the number of natural persons of whom
there were active data records in the FIJ during the last six years, having to
provide the information broken down by years and provide the documentation that serves as
rationale for your answer.
The claimed one provides two tables with this information. On the one hand, a table with the
“ Average number ” of natural persons that in the period 2016-2021 appeared in the FIJ.
Year 2016: 4,624,312; year 2017: 4,879,391; year 2018: 4,940,225; year 2019: 4,657,196;
year 2020: 4,183,445; year 2021: 3,826,436.
On the other, it provides a table with the number of natural persons that have been included in
the IJF since 05/25/2018: In the year 2018: 196,653; in 2019: 62,113; in 2020:
20,193 and in the year 2021: 2,358.
The respondent, despite being expressly required, does not provide any document
that certifies the veracity of the information offered. In addition, it does the following
comments:
That since 05/25/2018 a total of 282,037 individuals have been included and
produced “ a systematic reduction in the number of people included ” which is
due to “ the progressive implementation of the rules established in the provision
additional 7th of the LOPGDD.
That most of the records that remain in the file are prior to the
entry into force of the RGPD, when article 29.1 of the repealed LOPD established
a period of conservation of the data in the file of 6 years. And concludes by saying
that “[...] most of the records that remain in the FIJ were collected
before the entry into force of the RGPD, when it had not existed by the AEPD
no objection or questioning of any kind about the sufficiency of
the legitimate basis of the treatment in the file had not been discussed at any time
compliance with the principles established in the regulations of
data protection . "
5.- In point 4.7. asked about the total annual global business volume during the
financial year 2019. Respond by providing your individual annual accounts
(document 19) as of 12/31/21019 that include a turnover for an amount
net of 42,259,655 euros.
6.- The question in section 4.8 was about the economic result obtained by the
claimed during the last six years derived exclusively from the activity that
has developed through the FIJ, broken down the result by annuity or, where appropriate,
exercise and documenting your response.
The defendant has provided a table with the amounts of the “ direct income in
relationship with the FIJ access service provided to customers directly
since 2015 ” . These revenues range between € 316,204 in 2015 and
€ 1,734,763 in 2020. However, the complainant states “that the contracting of
other services by clients may include, [...] in addition, the
possibility of consulting the FIJ, agreeing with the clients a joint price for the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 82
82/184
entire service. In these cases , [the respondent] has no information
accounting that allows determining which imputation of the price satisfied by customers
it could be done [sic] to IJF. ”. (The underlining is ours)
Extreme from which it is concluded that, necessarily, the figure is much higher since the
most entities - we could affirm that, at least, all those in the sector
financial - they have access to the two files whose services the claimed provides.
This means that the figures provided do not provide a true picture of the result.
economic referring to the FIJ.
On the other hand, the respondent has warned that the information offered does not allow
break down how much of this direct income comes from access to
information related to natural persons and which of the access to information related to
legal persons, to which data protection regulations do not apply, therefore
that, he says, the figures he has provided should be considered reduced. Accurate
also that the economic information it provides refers to the amount of income
obtained, without taking into account the costs, since it does not have a system of
allocation of costs linked to each of the files it manages.
7.- The question formulated in point 4.9. dealt with the number of associates “who
has and has had the claimed one ”with access to the information offered by the FIJ.
The defendant clarifies again that there are cases of direct hiring of the FIJ and
others in which access to the FIJ is produced as a complementary service to the
hired by customers. Indicates that the number of entities that have contracted the
direct access to FIJ information is 18 but another 310
Entities can access the FIJ as a complementary service to those contracted with
her.
8.- The question in section 4.10. dealt with the documents - to which he alluded in
their allegations to the initiation agreement- in which the AEPD, with its actions, “ had
unequivocally lawful conclusion of the actions of EQUIFAX ”. This, without prejudice to the
resolutions of Protection of rights referred to in the brief of
allegations to the initiation agreement.
The defendant responds that “ The actions of the AEPD that this party is aware of
that have come to ratify both the legitimacy of the data processing carried out by my
represented in the FIJ [...] and which are reflected in specific documents
are the resolutions of the Guardianship of Law that have estimated and confirmed,
even after the entry into force of the RGPD and the LOPDGDD the criteria
followed by EQUIFAX to deny the requested deletion in those cases in
that the interested party did not accredit the payment of the debt that was registered in the FIJ. "
He adds that “[...] he respectfully understands that the behavior of the AEPD (a
through resolutions that even appear in the administrative file) did not
but to show the conclusion that the treatment was lawful and
covered by data protection regulations. For this purpose, it is necessary to
I manifest that if in a procedure in which an interested party invokes that a data object
treatment should be deleted the Control Authority concludes in the
inadmissibility of carrying out this deletion, does nothing but validate the legality
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 83
83/184
of the treatment, since otherwise this deletion would proceed, according to
to the provisions of article 17.1 d) of the RGPD.
If the AEPD considered the treatment illicit, as appears to be derived from this
file, had to first agree to delete the data and, then,
require EQUIFAX to carry out the necessary actions to adapt the
treatment of current legislation on the matter. However, the AEPD did not take
none of these decisions, but confirmed that the data whose deletion was
requested they should remain in the FIJ. (The underlining is ours)
In this way, the conduct of the AEPD reveals its opinion that the
treatment carried out by EQUIFAX was completely in accordance with the regulations
data protection (we insist that also after the full application
of the RGPD, as it appears in the file), so that such resolution is a
unequivocal statement of the AEPD on compliance with the regulations of
data protection by EUIFAX, embodied in an administrative act endowed with full
enforceability. "
TWELFTH: Test phase. (I) Second request for evidence to the respondent. (II)
Request for extension of the deadline to respond (III) Response of the claimed to the
tests.
I. In writing signed by the instructor on 02/01/2021, whose electronic notification
it is accepted by the recipient on 02/02/2021, new
tests (second tests or additional tests ) . The entity is required to,
within ten days, provide the following documents and / or explanations:
"1.-That, with respect to the File of Judicial Incidents and Public Bodies
(FIJ), detail the protocol that EQUIFAX has implemented during the six
previous years aimed at guaranteeing that the personal data that
are incorporated into said file were at all times
duly updated. You must provide the documentation that accredits your
demonstrations.
2.- Given that EQUIFAX has alleged that when the data
personnel are incorporated into the FIJ directs communications to those affected in order to
to inform them of their inclusion in that file, which detail what are the means
that you use and have been using for the past six years to carry out
the communications that you have alluded to. You must provide the documentation that
credit your statements.
3.- That detail what percentage of the incidents incorporated to the FIJ during
each of the six preceding years were communicated by EQUIFAX to the
affected. You must provide the documentation that proves your statements.
4.- Regarding the communications that EQUIFAX has sent to the
affected by notifying them the inclusion of their personal data in the FIJ, which
detail what percentage of those sent were returned to EQUIFAX or were
unsuccessful for other reasons. You must provide the documentation that proves
its manifestations.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 84
84/184
5.- To send a copy of the document that EQUIFAX makes available to
your associates / clients regarding the use they may make of the data
personal data accessed through the FIJ (exclusively that part of the
document dealing with such issue). You must provide the document / s
provided during the last six years in case they have been modified
during this time. If you provide several versions, you must specify the date
during which each one was in force. "
II. On 02/09/2021, this Agency receives a letter from the claimed in the
that, in addition to requesting that, by virtue of the provisions of article 76 of the LPACAP,
consider to be reproduced for the purposes of evidence the supplementary allegations that
filed on 01/24/2021, requests that the period initially set be extended by five days
to answer additional tests. The term extension is agreed
requested, a fact that is communicated to the complained party in writing dated 02/11/2021,
notified electronically on the same date, which was accepted by the recipient on
02/12/2021.
III. Respondent's response to the second request for evidence.
On 02/23/2021 the response is received at the electronic headquarters of this body
from the one claimed to the additional tests requested; written that bears like
title " Response to the request for additional information made by the Agency
Spanish Data Protection. February 23, 2021 ” and consisting of 6 pages.
He begins his answer by invoking the “ confidentiality and business secret of the
documents provided together with this brief [...] ” with respect to which he requests that
are treated without dissemination of the elements that affect their business configuration
nor to the secret of its commercial performance.
However, the respondent has not provided an annex to the brief with any document or
Nor has this Agency received any document at a later date with the
purpose of accrediting the veracity of what was stated in their response to the tests
complementary requested. Extreme of relevance because it was required
expressly to provide the documentation that accredits its
demonstrations. The acknowledgment of receipt from GEISER dated 02/23/2021, certifies that the
claimed filed on that date, at 22:20:48 (Peninsular Time), exclusively,
the written reply to the second request for evidence. Nothing says about assumptions
attached documents.
The respondent's response to the additional tests requested is the
following:
1.-To the first question, he answers: “To guarantee that the data captured in the FIJ
are up-to-date, Equifax relies primarily on:
1) Limitation of the sources from which the FIJ file is fed: as already reported in
our previous writings, Equifax collects the information that is registered in the FIJ of
the Official Gazettes published by the State, the Autonomous Communities,
Provincial Councils.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 85
85/184
The exclusive use of this source guarantees that all the information that is
collect is considered official and authentic as indicated in article 3.1 of the
Royal Decree 181/2008, of February 8, on the organization of the official gazette << Bulletin
Official of the State >>. Therefore, the use of this source is, in our opinion, a
guarantee that there are no doubts about the updating and veracity of the
information incorporated into the FIJ.
Newsletters are downloaded the same day they are published, so the information
of the FIJ is updated on a daily basis with the information contained in the Bulletins.
2) Automatic information capture processes: downloading the newsletters and the
subsequent registration of the data in the FIJ is done through automated processes
thus avoiding possible errors from manual processes. For reading
the data of the newsletters are used OCR reading processes that guarantee the
correct reading and recording of the data published in the bulletins
3) Recording criteria: as we have indicated in the answer to the first
request for information from the AEPD, Equifax has implemented criteria of
specific recording and already detailed previously to that AEPD, in order to ensure that
the holders are unequivocally identified for their inclusion in the
FIX. These criteria guarantee that there is only data of holders duly
identified
4) Notification of inclusion: this part has been making to the holders whose data have
been collected since May 25, 2018, a specific notification of your
inclusion in the FIJ, as a measure to guarantee the updating of the data. Said
communications allow interested parties, in a free and simple way,
check if indeed the data that have been published by the different
Official bulletins that have been collected by my client contain some error.
5) Attention to Exercise of rights: by attending to claims of the
holders in the exercise of their rights, the interested parties may, in accordance with
provided for in the data protection regulations, know what data is included in
the FIJ, for what purpose they are used, and, at all times, rectify, cancel, oppose and
limit the processing of your personal data ”.
2.- To the second question, he answers, first of all, recalling that the Hearing
Nacional reiterated through its Judgments -SSAN of 06/29/2001 (Rec. 1012/1999);
11/29/2001 (Rec. 531/2000) and of 02/27/2008 (Rec. 358/2006) - that the
data protection contained in the already repealed LOPD did not contemplate a
Obligation to notify the interested parties of the inclusion of their personal data in the FIJ.
Transcribe the following excerpt from the SAN of 02/27/2008:
"[...], it must be concluded that the notification of the inclusion is only required in the event
in which two notes concur: that the data refer to compliance or
breach of monetary obligations; and that they are provided by the
creditor or who acts on their behalf or interest. From which it follows that, having
taken the personal data, in the case now prosecuted, from the Official Gazette of the
Community of Madrid, there was no obligation to notify its inclusion in the
File of Judicial Incidents to the holder of the same. "
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 86
86/184
The respondent acknowledges that until the entry into force of the RGPD it did not carry out
any notification to those affected; which justifies that there was " an express endorsement
in this sense by the National Court ”.
It indicates that, after the entry into force of the RGPD, “within the framework of its obligations to
established pro-active responsibility [...] and even when the doctrine [...] of the
National Court had not been affected ”, has considered appropriate to notify the
inclusion of those affected whose data were recorded in the FIJ. However, he cautions
continuation that " the question of whether or not to carry out said notification has not
has been definitively adopted within the framework of the relationship between that AEPD and
ASEDÍS within the process of preparation and approval of the Code of Conduct to
that Equifax has already made repeated reference in its brief of allegations to the
Start."
It adds that the notifications to the interested parties of the inclusion of their data in the FIJ are
carried out through an independent third party, which carries them out through a
auditable procedure.
3.- Answer the third question indicating that, in congruence with the above,
You can only provide notification data from 05/25/2018, the date on which you have
considered appropriate to carry them out. It states that in its computer files it appears that,
Since 05/25/2018, they have sent a total of 509,470 notifications.
From here, the defendant breaks down the total number of notifications that says
having effected. He does the same when answering question number 4. It is reproduced
then the information you have provided in your response to the tests
complementary requested.
Breakdown by years of the notifications sent: 2018: 339,436; 2019: 116,236;
2020: 47.3888; 2021: 6,407.
4.- Answer question number 4 by providing some data -without documentary support
some- on the notifications that were unsuccessful broken down by years and
for return reasons. The reasons for return considered are: 01, details
incorrect; 02, deceased; 03, unknown; 04, absent; 05, refused; 06, others; 07,
Insufficient address; 08, wrong address.
Provide the following information about unsuccessful notifications:
1. Year 2018. Total unsuccessful claims: 66,418. Reason 01: 13,299; reason
02: 312; motif 03: 47,883; motif 04: 1,563; motif 05: 68; motif 06: 3,293.
2. Year 2019 . Total unsuccessful claims: 24,812. Reason 01: 5,498; reason 02:
139; motif 03: 17,299; motif 04: 462; motif 5:25; motif 06: 1.229.
3.Year 2020. Total unsuccessful claims: 9,673. Reason 01: 2,928; reason 02:
24; motif 03: 5,945; motif 04: 150; motif 5:23; reason 06: 603.
4. Year 2021. Total unsuccessful claims: 1. Reason 01: 1.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 87
87/184
5.- The evidence required in point 5 of the brief requesting evidence
The complementary purpose was for the respondent to provide a copy of the document
requested and its modifications, if any. However, the respondent has not
provided no document and has limited itself to answering that entities can
access the information registered in the FIJ as well as a contracted service from
independently or as a complementary service with other services
provided by EQUIFAX. Below, he has reproduced a few short excerpts that
supposedly come from the service contract signed with the entities that
access the FIJ, both of the contract model that was celebrated before the entry into
validity of the RGPD as of the model used after the entry into force of the
Regulation (EU) 2016/679.
Provide these texts for this purpose: With the heading “Section of stipulations / definitions
of the contract ”, reproduces a fragment that corresponds to the identification of the
claimed as a party to the contract. Between both contract models the text varies,
exclusively, at the domicile and in the mention of the inscription in the Registry of the
AEPD that is only included in the model used before the validity of the
GDPR.
" EQUIFAX: EQUIFAX IBERICA SL residing in [...], owner of the File of
Judicial Incidents and Claims of Public Organizations, whose information
comes from sources accessible to the public [...] (hereinafter THE JUDICIAL FILE),
its purpose being the provision of solvency information services
equity and credit ... "
Provide this other fragment with the heading "Clause of obligations and
responsibility: "" Of the fulfillment of the obligations that correspond to them
according [reference is made to the RGPD or the LOPD depending on the model
contract] and in the applicable national regulations. "
“Of the responsibilities that for each one could be derived before the AGENCY
SPANISH OF DATA PROTECTION (hereinafter AEPD). "
"Of the responsibilities that each one may be required by third parties
derived from their breaches of this contract. ".
THIRTEENTH: Test phase. Request for evidence to the Subdirectorate of the
General Registry of Data Protection of the AEPD.
In writing signed by the instructor on 02/04/2021, notified on 02/05/2021 that it consists
received on 02/09/2021, the Deputy Director General of the General Registry of
Data Protection of the AEPD, the following test procedures:
1.- To report if the AEPD code is currently approved
conduct of the Infomediary Sector that ASEDIE promotes. If so, please
to provide us with the date it was approved and send us a copy of the document.
2. If the aforementioned code of conduct has not been approved, please provide the
following documentation and information:
2.1. The copy of the draft code of conduct that ASEDIE presented to the AEPD
in May 2020.
2.2. To report if that Sub-Directorate has sent ASEDIE any assessment or
report regarding the project that you submitted in May 2020. If so,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 88
88/184
Please provide a copy of this report and provide us with the date on which it was
had transferred to the Association -date of making available- as well as the date in
the one that the latter has agreed to the notification.
By writing signed and notified on 02/10/2021, the Deputy Director General of the
General Registry of the AEPD responds in the following terms:
“1.- The draft code of conduct presented for approval by the Agency
Spanish Data Protection by the Multisectoral Information Association
(ASEDIE), is in process, currently pending the report of the
Legal Office of this Agency.
2.-In the processing of the draft codes of conduct, successive
versions, in which the improvements resulting from the contacts that are usually
keep up with the promoters. In this case, in the month of May 2020, it was contributed by
ASEDIE a version of the draft code of conduct, a copy of which is attached, which
it was not the last.
3.- ASEDIE has not been notified of any report issued on the draft
code of conduct presented by ASEDIE. "
FOURTEENTH: Proposal for a resolution.
On 03/26/2021, the investigator of the file formulates a proposal for
resolution in the following terms:
"FIRST: That the Director of the Spanish Data Protection Agency
impose on EQUIFAX IBÉRICA, SL, with NIF B80855398, for an infringement of the
article 6.1 RGPD, in relation to article 5.1.a) of the RGPD, typified in article
83.5.a) of the RGPD, the following sanctions:
Pursuant to article 58.2.i) of the RGPD, an administrative fine of € 3,000,000 (three
millions of euros).
Pursuant to article 58.2.f) of the RGPD, the prohibition to continue the treatment of
personal data that you make through the File of Judicial Claims and
Public Organizations (FIJ) of which it is the owner.
In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data
personal that, associated with alleged debts, are subject to treatment through the
of the File of Claims and Public Bodies (FIJ) of which it is the owner.
SECOND: That the Director of the Spanish Agency for Data Protection
impose on EQUIFAX IBÉRICA, SL, with NIF B80855398, for an infringement of the
article 5.1.d) of the RGPD, typified in article 83.5.a) of the RGPD, the following
sanctions:
Pursuant to article 58.2.i) of the RGPD, an administrative fine of € 3,000,000 (three
millions of euros).
Pursuant to article 58.2.f) RGPD, the prohibition to continue the treatment of
personal data made through the FIJ, of which it is the owner.
In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data
personal that, associated with alleged debts, are subject to treatment through the
FIX.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 89
89/184
THIRD: That the Director of the Spanish Data Protection Agency
impose on EQUIFAX IBÉRICA, SL, with NIF B80855398, for an infringement of the
article 5.1.b) of the RGPD, typified in article 83.5.a) of the RGPD, the following
sanctions:
Pursuant to article 58.2.i) of the RGPD, an administrative fine of € 1,000,000 (one
million euros).
Pursuant to article 58.2.f) of the RGPD, the prohibition to continue the treatment of
personal data that you make through the File of Judicial Claims and
Public Organizations (FIJ) of which it is the owner.
In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data
personal that, associated with alleged debts, are subject to treatment through the
File of Judicial Claims and Public Organizations (FIJ) of which it is the owner.
FOURTH: That the Director of the Spanish Agency for Data Protection
impose on EQUIFAX IBÉRICA, SL, with NIF B80855398, for an infringement of the
article 5.1.c) of the RGPD, typified in article 83.5.a) of the RGPD, this sanction:
Pursuant to article 58.2.i) of the RGPD, an administrative fine of € 1,000,000 (one
million euros).
FIFTH: That the Director of the Spanish Data Protection Agency
impose on EQUIFAX IBÉRICA, SL, with NIF B80855398, for an infringement of the
Article 14 of the RGPD, typified in article 83.5.b) of the RGPD, this sanction:
Pursuant to article 58.2.i) of the RGPD, an administrative fine of € 1,000,000 (one
million euros). "
The proposal was notified to the respondent on the same date of signature -26 / 03 / 2021-,
that accepts the notification on 03/29/2021, as evidenced by the certificate of the
FNMT that is in the file.
FIFTEENTH: Writings addressed to EQUIFAX and sending documentation to the
claimed.
In writing signed by the investigator of the file on 03/29/2021, notified in the
same date and whose notification was accepted by the claimed on 03/30/2021, you were
informs that the documentation regarding the latest
actions carried out in the procedure and it is requested that, if it appreciates that it has
incorporated into the proposal writing reserved information of a business nature,
communicate to this Agency in order to proceed to anonymize the information, whenever
that the AEPD is obliged to make its resolutions public.
In writing signed by the Deputy Director of Inspection on 03/29/2021,
informs EQUIFAX that a CD is being sent via postal courier
encryption with the documents of the file relating to the latest actions
practiced. The access code and the Hash are also provided. Notification of
writing is practiced and accepted by the recipient on 03/31/2021.
SIXTEENTH: Request for an extension of the term to make allegations to the
motion for a resolution. Response of the AEPD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 90
90/184
On 03/30/2021, a letter from the
claimed in which you request that the extension of the initially set period be agreed
to formulate allegations to the proposal for the maximum legally allowed.
The AEPD responds to the request for extension in writing dated 03/30/2021, whose
notification is accepted on 03/31/2021, in which, pursuant to article 32.1 LPACAP,
agrees to extend by one business day the initial period set for making allegations to the
motion for a resolution.
SEVENTEENTH: Allegations of EQUIFAX to the proposed resolution:
On 04/15/2021 the writing has entered the electronic registry of the AEPD,
sent by EQUIFAX, through which it makes its allegations to the proposal of
resolution of the PS / 240/2019 that the entity received on 03/29/2021.
The defendant requests that a resolution be issued declaring the nullity of full right
of the procedure or, where appropriate, its expiration, for the reasons detailed in the
third claim. Alternatively, that the filing of the procedure be agreed upon
constitute the conduct object of assessment any violation of the regulations of
personal data protection. Subsidiarily with respect to the previous requests
that a warning sanction is imposed provided for in article 58.2 b) of the
RGPD or, failing that, a significant reduction in the amount established in the
resolution proposal in response to “ the numerous concurrent circumstances in
the assumption of fact prosecuted, which would entail a highly qualified reduction of the
Equifax's unlawfulness and culpability. "
In support of these claims he invokes the following arguments:
1.In the first claim, it “ratifies and reiterates” in its entirety the content of the
allegations made to the commencement agreement since, in his opinion, the proposal for
resolution does not contest in any way what is stated in said allegations.
2. The second claim deals with the existence of a “ media contest between the
all the infractions referred to in the proposed resolution that prevents
accumulate potential sanctions ”.
It states that the proposal identifies a plurality of infractions that,
supposedly, he would have committed EQUIFAX “when in fact all
They are subsumed and embedded in other offenses for which the AEPD wishes
sanction [it], giving rise to various cases of media competition in the
terms provided in article 29.5. of Law 40/2015 [...] "
It states that the AEPD cannot sanction EQUIFAX for all of the
infractions to which the proposal refers, since they are clear assumptions of bankruptcy
medial, so that only a single sanction can be imposed, in his opinion, the one
"Without success" , is imputed with respect to article 6.1.f), in relation to article 5.1.a)
GDPR. It states that, according to article 29.5 of the LRJSP, infractions must
be subsumed in the most serious “ we understand that the one that the AEPD imputes with respect to art.
6.1.f) (in relation to article 5.1.a) RGPD ”.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 91
91/184
It considers that, according to what was stated by the AEPD in the proposal, the
offenses attributed to EQUIFAX “[...] the offenses cannot be understood to have been
one without the other, requiring between them that some be executed to appreciate the
execution of the others ”,“ [...] to the extent that all the infractions allegedly
committed keep a direct connection and bring cause of each other, it is
inappropriate and contrary to the law to consider them as independent offenses ”.
Through six sections it details the existence of six cases of medial contest that
justify with references to the draft resolution proposal, which reproduces several
fragments. These assumptions are as follows:
to. Appreciates the existence of a first media contest between the infractions of art. 6.1
(in relation to article 5.1.a) of the RGPD, 5.1.b) and 5.1.d) of the RGPD.
It says to this effect: “ In this way, the supposed lack of compatibility of the purposes together
with the alleged infringement of the principle of accuracy constitute the infringement of the
principle of legality of the treatment, by which it is also intended to sanction
Equifax. As can be seen, there is already a first medial contest with
regarding the infractions of art. 6.1 (in relation to article 5.1.a) of the RGPD,
5.1.b) and 5.1.d) of the RGPD. "
It argues that, “ regarding the alleged violation of the principle of limitation of
purpose, the AEPD considers, which will be refuted later, that the purpose of the
original treatment and that of subsequent treatment by Equifax are incompatible ”.
That the AEPD, to determine if further treatment is compatible with the
The original treatment mentions, among other aspects, “(i) that it does not exist among the
complainants and Equifax no relationship linked to context, so that the
affected have not been able to have any reasonable expectation that their data would be
object of this treatment -quod non- (being the nonexistence of expectation of
treatment one of the criteria to determine the alleged violation of the principle
of legality); and that (ii) the File of Judicial Incidents (“FIJ”) violates the principle of
accuracy in its manifestation of updating the data (quod non), which, from
From the point of view of the AEPD, it aggravates the adverse consequences for
claimants whose data have been incorporated into the FIJ. "
It adds that, “ Likewise, the AEPD indicates that the judgment of suitability is not met [...]
since, for the treatment carried out by the FIJ could really satisfy
the interests that it invokes, it would be essential that the information on the alleged
debts attributed to claimants were up-to-date -accuracy principle-. "
b. Appreciates the existence of " a second medial manual contest [...]" between the
alleged infringements of articles 5.1.b), 5.1.c) 5.1.d) and 14 RGPD, of which
derives the alleged infringement of article 6.1.f) of the RGPD.
The respondent transcribes these paragraphs of the proposed resolution that lead her to
affirm that the AEPD subsumes within the infringement of the principle of legality all and
each of the other offenses that it also imputes:
“As has been stated in the preceding foundation, it is proven that the
treatment that EQUIFAX has been doing of the personal data of the claimants
violates the principle of purpose limitation provided in article 5.1.b) of the RGPD.
This breach has the consequence of causing the legitimate interest invoked
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 92
92/184
by EQUIFAX, on whose alleged prevalence supports the legal basis of the
data processing carried out (article 6.1.f, RGPD), cannot meet the requirement of
legality.
(…)
The illegality of the interest pursued by EQUIFAX is reinforced by the fact that the
data processing carried out by the FIJ not only violates the principle of limitation of
the purpose (article 5.1.b RGPD), but, as will be explained later, we consider
that violates other provisions of the RGPD: the principle of data accuracy (article
5.1.d); Article 14 of the RGPD in relation to Article 5.1.a) and the principle of
data minimization (article 5.1.c) ” (Emphasis added)
c. Appreciates the existence of a third medial contest between the infractions of the
Articles 6.1., in relation to Article 5.1.a) RGPD, 5.1.b) and 5.1.d) of the RGPD .
He argues the following:
“Regarding the alleged violation of the principle of accuracy, in the opinion of
the AEPD, the alleged disparity and incompatibility between the purpose of the treatment
originating and the one pursued by the FIJ determines that the information that this file
collects is fragmentary and, furthermore, is disconnected from the future of the debt.
On the other hand, among other considerations, the Proposal indicates (a point of view that
we share) that the FIJ violates the principle of accuracy also with regard to
the identification of the holders of the debts and the conclusion that can be drawn is
that it can hardly serve the legitimate interest that it wants to serve linked to the
fraud prevention (which, in case there are doubts, would be related to the
alleged violation of the principle of legality). " (The underlining is ours)
d. In point 4 he mentions the existence of two new media contests: The fourth,
between articles 6.1, in relation to article 5.1.a) RGPD, 5.1.b), 5.1.c) and 5.1.d)
GDPR. The fifth between the violation of article 5.1.c) and 14 of the RGPD.
It states that " the AEPD considers " that " the alleged violation of the principle of
Minimization is nothing but the sum of the alleged infringements of the principles of
limitation of the purpose, accuracy and legality and, in turn, results in the breach of the
art. 14 of the GDPR. "
To substantiate his argument, he reproduces the following excerpt from the brief of
proposal:
" Compliance with this principle by the claimed, as happens with other
principles already examined, such as legality or accuracy, is conditioned by the
infringement of the principle of limitation of the purpose in which the entity incurs with the
collection of data from official newspapers and gazettes that pursue a
purpose incompatible with that of the FIJ.
As a result of the illicit nature of the subsequent processing of the data collected
-that is, the one that the claimed carries out through the FIJ- it is shown that the
responsible for the treatment is in a situation of practical impossibility of
Respect the rest of the principles that according to the RGPD govern the treatment. (…)
As a first point, it should be noted that, as has been shown when examining
other principles, particularly that of accuracy, the data that EQUIFAX obtains through
of bulletins and official journals that feed the FIJ are not adequate for the purpose that
pursues the file, thus violating the principle of data minimization. The reason
fundamental is that they do not allow an update of the information regarding the
solvency of the debtor. It is added to the above that, while the publication of the data
does not include the address of the owner of the data, the claimed is not in a position to
to be able to comply with the information obligation set forth in article 14 RGPD ”.
and. It alludes to the existence of a fifth media contest -which was already announced in the section
precedent- between the principle of data minimization and article 14 of the RGPD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 93
93/184
It states that in the opinion of the AEPD “ it is not possible to carry out the informative notification to the
interested in lacking the address information and that the attempt to link the number
identification of an interested party that is published in an official newspaper with the information
that is recorded in the FIJ, constitutes in turn an infringement of the principle of
data minimization (which this part denies). "
In support of this conclusion, he transcribes this excerpt from the
resolution:
"On the other hand, there is no doubt that EQUIFAX is obliged to inform interested parties
in the terms of article 14 RGPD each time you add your data to the FIJ
personal.
In line with this obligation, we must reiterate what has already been stated regarding the
violation of other provisions of the RGPD. In the behavior analyzed we start from a
Illegal processing of personal data, as data that were processed is collected
initially with a purpose that is incompatible with the purpose pursued by the
subsequent treatment, that is, the IJF, which conditions, how could it be otherwise,
compliance with the obligations that the RGPD imposes on the controller
to the point that these are impossible to comply with if not by infringing
for this, other provisions of the RGPD ”.
F. The defendant is limited to mentioning the existence of a sixth medial contest that
would occur between the infractions of articles 5.1.b), 6.1. and 14 of the GDPR.
It should be added that the respondent, when analyzing in its brief of allegations each one
of the infractions of the RGPD attributed to it, again affects the existence
of a media contest between the different imputed infractions.
3. The third allegation of the brief of allegations to the proposed resolution carries the
heading "Of the vices of nullity concurrent in the present procedure".
The defendant appreciates the existence of the causes of absolute nullity provided for in the
sections a) and e) of article 47.1 of the LPACAP. He affirms that these vices of nullity
they have generated a material and real defenselessness ; that we are not facing a violation
merely formal, but in the face of vices from which a material effect of
defenselessness and a real and effective impairment of the right of defense, with the
consequent damage.
The grounds for invalidity invoked are appraised in relation to the following
behaviors:
to. The inclusion of the amount of the sanctions in the initiation agreement, which in his opinion
constitutes a defect of absolute nullity provided for in article 47.1.a) LPACAP:
It reiterates what is alleged in the commencement agreement in the sense that the fixation in it of the
amount of the sanctions that would proceed to impose, without having previously heard the
allegedly infringing party, violates their right to effective judicial protection,
generates absolute helplessness and implies a breakdown of the principle of separation
between the investigative and resolution phases of the procedure, thus incurring
the vice of radical nullity of article 47.1.a) LPACAP.
It rejects the interpretation that the AEPD makes of article 85 LPACAP, in accordance with the
which “the determination of the amount of the sanction and the consequent evaluation of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 94
94/184
concurrent circumstances in the case derives from [...] what is established in article 85
LPACAP. " It considers that this interpretation is contrary to the Spanish Constitution to
violate the protection of fundamental rights that is granted through it and
that the “ efficiency that could be pursued by determining the amount of the
sanction in the initiation agreement could never justify the violation of rights
fundamental of the insert that such action entails ”.
b. The violation by the AEPD of the rules that regulate the procedure
sanctioner regarding the protection of personal data and " the consequent
expiration at the end of the procedure ” , which constitutes a defect of nullity of the article
47.1.e) LPACAP.
It states that the AEPD has completely and completely dispensed with the procedure
legally established in articles 64 and 67 of the LOPDGDD and has incurred in a
abandonment of the powers attributed to it by the LOPDGDD and the RGPD. Abandonment
that has caused damage " because it has been considered by the AEPD as
aggravating circumstance of the type the continuing nature of the alleged infringement
during the period in which that AEPD declined to carry out any infringement against
Equifax ”.
Regarding the procedure, it transcribes articles 64.2 and 67 of the LOPDGDD and says
that from these provisions it is unequivocally deduced that the LOPDGDD, for
reasons of legal certainty for the company, has established a procedure
regulated and with clearly marked time limits ”. Therefore, according to
the foregoing, considers that the admission should follow without a solution of continuity
processing of the claim within a period of three months; the optional realization of
investigation actions for a maximum period of twelve months and the opening of
a sanctioning procedure. Thus, he affirms that the admission for processing of a
claim by the AEPD implies the recognition of the existence of
indications of violation of data protection regulations and this must imply
-argues EQUIFAX- that preliminary investigation actions are carried out or, if
considers that the infringement is manifest, as appears to be the case in the present case,
to proceed immediately to the opening of the sanctioning procedure.
In view of the foregoing, the respondent reaches the " obvious consequence " that if the
first claim was admitted on May 30, 2019 and the AEPD decided not to carry out
carry out investigative actions "the Agreement to initiate this procedure
should be from that date, so, being the maximum duration of the procedure of
nine months, the resolution [...] should have been issued on March 2, 2020 ”. Y
adds: “ In this way, the AEPD issued the Initiation Agreement long after
the date on which it should have issued a resolution if it had met the requirements
established in the data protection regulations, with which all actions
they should be considered expired. " (The underlining is ours)
It also refers to the situation of "inactivity" in which the AEPD estimates incurred in
in relation to the claims that were filed against EQUIFAX related to the FIJ.
He supports this conclusion in that of the 97 claims admitted against EQUIFAX only
some of them were transferred to the DPD; in that although all were admitted to
Some were processed " without a minimum legal reasoning "; in which the first
claim (claimant 25) entered the AEPD on 05/30/2019 and in which the AEPD did not
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 95
95/184
carried out preliminary investigation actions, for which, he affirms, from the admission
processing of claims until the Agency issues the agreement to initiate the
sanctioning procedure that concerns us, on 07/24/2020, did not perform any other
action.
c. It mentions the “ main circumstances ” that have occurred during the
processing of the procedure whose overview shows that the procedure
has been processed with a complete and repeated impairment of the rights that in the
framework of the administrative sanctioning procedure is granted by sections 1 and 2 of the
Article 53 of the LPACAP. It refers to the following circumstances:
1 No investigative actions were carried out prior to the opening of the
agreement to initiate the sanctioning procedure.
2.Delay in sending the copy of the administrative file: it is received by the
entity on the penultimate day of the ordinary period granted to allege, although it is granted
by the AEPD the extension of the term for the maximum legally allowed, five days, and
Consequently, he receives it with only six days remaining to issue his letter of
allegations. Remember that the file forwarded had an extension of 2,974 pages.
3.On 12/23/2020, the AEPD sends you a letter stating that “ it has been
found that, unfortunately, an incident of a technical nature cut off part of
of the documentation that made up the administrative file ” . It says that in the aforementioned
In writing, it is not granted a period of allegations since it was limited to indicating that the
The instructor would not proceed to the opening of the test phase until after the
least ten business days computed from the date of notification of the letter. Add:
" All this without any reference to the principle of integrity of the administrative file
electronic consecrated by article 70.3 of the LPACAP ”.
4. “ The aforementioned file turned out to be increased to 4,319 (that is, a
extension more than 45% greater than that of the file originally submitted), which
which motivated my client to expressly request the granting of a period for the
issuance of allegations and that the term for this be extended. The AEPD was limited to
Respond to said request indicating the specific date on which the opening of the
trial period, but without expressly granting my client any period to
allegations. " (The underlining is ours)
5.The test phase does not start until 01/20/2021, when almost
six months from the opening of the initiation agreement.
6.The proposed resolution is notified to EQUIFAX on 03/29/2021. In it, the two
initial accusations, contained in the initiation agreement, are expanded with three new
infractions “ without any of them having resulted from obtaining information
any additional charge that could have justified this triple charge ”. Warn no
we are before a new legal classification of the infractions but before three new
infractions added by the AEPD “ [...] in the last step of the procedure, three
new accusations on a legal basis that could have been used in his
integrity at the time the Initiation Agreement is issued ”.
7.That, in accordance with the changes introduced with the proposed resolution, it was requested,
under the protection of article 32.1 LPACAP, the extension of the period of allegations by the
maximum legally allowed (five days). However, “ the AEPD limits said
extension to the term of a single day in view of the evident risk of expiration of the
process". It states that “ In this way, it seems to deny my client a right
that the law grants as a consequence of the delay in the processing of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 96
96/184
procedure solely attributable to the performance of that AEPD, which in no case
it should be detrimental to the Managed. " (The underlining is ours)
d. The inclusion of new infractions in the proposed resolution constitutes another of
the reasons that - in the opinion of the defendant - cause the radical nullity of the
procedure under article 47.1.a) of the LPACAP.
It explains that the new infractions that are attributed to it in the proposed resolution
have generated an undoubted defenselessness by having deprived him of the “right to know the
specific accusations aimed at limine against her and her rights of defense and
provision of means of proof relevant to their right, enshrined in article
24.2 of the Constitution as a manifestation of the right to effective judicial protection. " (The
underlined is ours)
In his opinion, the determination in the resolution proposal of new infractions
It is not covered or in the regulations governing the administrative procedure in
general nor, in particular, in that of the procedure in matters of data protection.
In accordance with articles 89.3 LPACAP and 90.2 that it transcribes, it formulates the following
conclusions:
(i) That it is the initiation agreement that will establish the limits on which it may
to carry out the final qualification in the resolution proposal.
(ii) That the resolution proposal cannot make new charges. Can
modify the initial qualification made in the initiation agreement by making an imputation or
imposing a more serious sanction than that established in the opening agreement, all of this
in accordance with article 64 of the LPACAP. It indicates that not even the Royal Decree
1398/1993, of August 4, which approved the Rules of Procedure
for the Exercise of Sanctioning Power (REPEPOS), repealed by the LPACAP,
provided for the realization of new charges but, solely and exclusively, the
modification of the classification of infractions that have already been communicated to the
inserted in the initiation agreement.
(iii) That the LPACAP does not allow the proposed resolution to make new
additional imputations to those included in the commencement agreement as this is
would cause an irreparable impairment of the rights granted to the accused
(iv) That the additional charges would require the processing of a new
process.
(v) That any action that is not “the referral of the file to the body
sanctioner in order to decide on the opening of the procedure
sanctioner in case of coinciding with the instructor's assessment of the
concurrence of new infractions ”would violate the rights of EQUIFAX by depriving it
of the guarantees that the company has recognized in the procedure
sanctioner, in particular in article 53.2 a) of the LPACAP ( right to “ be
notified of the facts attributed to him, of the infractions that such facts
may constitute and the sanctions that, where appropriate, may be imposed, as well
as well as the identity of the instructor, of the competent authority to impose the
sanction and the norm that attributes such competence ”).
4. Through its fourth claim, under the heading “ On the assessments made
by the AEPD on the basis of law IV of the proposed resolution ", he says,
on the one hand, that the AEPD has violated the principle of legitimate expectations and on the other
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 97
97/184
that the subjective element of the offense is missing in this case, in such a way that no
any sanction could be imposed by virtue of the principle of culpability recognized in
Article 28 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP)
The first section of this fourth claim refers to the pre-existing regime to the
GDPR and maintains that until the full application of the GDPR, and even later,
Until the entry into force of the LOPDGDD “there was an express legal provision that
recognized the legality of information systems that collect information obtained
with the consent of the interested party or from sources accessible to the public for the purpose
to evaluate the solvency of the interested parties ”. (The underlining is ours)
He mentions alleged reflections made in the motion for a resolution, which in no
case were made, and indicates that article 29.1 of the LOPD was not repealed neither totally nor
partially by the STJUE of 11/24/2011 or by the STS of 02/08/2012 “ nor the same
represented a limitation to the application of the precept that legitimized the treatment of
the personal data of the interested parties that were incorporated into sources
accessible to the public . " It says that “ For this reason, the statement contained in the
Proposal for a Resolution, which aims to indicate that the treatment carried out by
Equifax in the FIJ did not find protection in a legal presumption of prevalence of
legitimate interest, it simply lacks the reality of the provisions of jurisprudence and
the cited standards ".
Once again he affirms that the AEPD was fully aware of the existence and
operation of these information systems; that, even after the
STJUE, has considered sufficient to assess its legality the fact that the data
came from the aforementioned sources accessible to the public and that despite this the
AEPD did not direct any action against the FIJ to reproach the breach of the
data protection regulations.
In proof of these manifestations, it brings up the following actions of the
AEPD:
-The resolution issued in E / 04639/2013, in which -said- the basis for
agree the file was that the file (from Axesor, Database of incidents
judicial) was covered by article 29.1 and 4 of the LOPD.
-The inspection actions referred to in the resolution issued in the
PS / 104/2004, directed against a financial institution that claimed to have collected the
FIJ data. Law Foundation III of the resolution mentions the practice of
an exhaustive inspection in EQUIFAX “ in which it was verified, examining the
historical records of the file of Judicial Incidents, that indeed there were
annotations related to the complainant but that do not coincide with those registered in
Bank of Madrid. Therefore, there is no evidence of violation of the regulations of
data protection by Equifax Ibérica, SL . "
- The SAN of 03/29/2012 (appeal 525/2010), filed by EQUIFAX in front of the
sanctioning resolution of the AEPD of 05/05/2010, PS / 368/2009, of which
Fourth Law Foundation “it is clear the legality of the treatment carried out
by my client ”. The Basis of Law that is transcribed by the entity is the
following:
"In the brief of conclusions the appellant details his legal reasoning and
states that it is not that he obtained the complainant's data outside of a
source of public access and that has treated them without having their consent, but rather
obtaining the data from a legal source (such as Newsletters) has added
Information from the Bulletins that did not correspond to him. ""
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 98
98/184
-The numerous procedures processed in front of EQUIFAX by the alleged
breach of the obligation to inform the affected party. In this regard, it states that
sanctioning resolutions were annulled by the AN in its sentence of
02/27/2008 (Resource 358/2006).
-The internal report of the Subdirectorate General of the General Registry of Protection of
Data issued on 01/252019 that -states- “ evidence that there is a formal criterion
emanated from a body integrated into the AEPD [...] that pronounces clearly and
declares in favor of the legality of information systems similar to the FIJ, that
collect relevant information on the solvency of the interested parties from the sources
accessible to the public ”. Explain that the report, regarding information systems
similar to the FIJ, it says the following:
"In general, the code regulates the collection of personal data, in particular
when it is done through web pages, for which the obligations to
those to which associates are subject (article 6), as well as public sources (article
8). A consideration is made on the sources accessible to the public, of which the
infomediary sector is a traditional user, like those that can be consulted
by any person without general restriction of access to certain categories of
users, even when a consideration is required (article 8), which is online
with the interpretation that is made of this type of sources, and the principle of
accuracy of the data when collected from them, also in line with what is
collected in article 4 of the LOPDGDD. In addition, in Annex III corresponding to the
marketing activity, a list of the sources of access is included
public."
It qualifies as " fallacious " the following argument made in the proposal, since the
AEPD does not require the complaint of an affected person to carry out actions of
previous research:
" So that the AEPD could have ruled on the legality of the data processing
carried out by the FIJ, as the claim made by this Agency maintains,
it would have been essential that the Agency had previously carried out an analysis
on the aspects that have been indicated in the preceding paragraph. And that analysis only
could have been carried out well in the framework of a sanctioning procedure that
had as its object the alleged violation of the principles that according to the LOPD
presided over the treatment of the data through the treatment carried out by the FIJ, or
in the response to a query from the Legal Cabinet that the entity had estimated
It is appropriate to ask about the legality of the treatment that has been carried out. "
And it highlights the inaccuracy of the comments made in the proposal about TDs.
invoked by EQUIFAX because the assessment made in it is incorrect
on the scope of the procedure for the protection of rights.
It concludes from the preceding exposition that the arguments are distorted
set forth in Law Foundation IV of the proposed resolution.
It also concludes that the FIJ was fully known to the AEPD and that the
treatment has been carried out under the sight, science and patience of this
Control authority that at no time decided to carry out actions of
official letter or adopted any decision in terms similar to those that appear in the
motion for a resolution. Therefore, the AEPD, says the complainant, fails to comply with the principles
of legitimate confidence and legal certainty in the terms described in the
jurisprudence cited in the allegations to the initiation agreement.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 99
99/184
Starting from the consideration that there has been a bankruptcy of the principle of
legitimate confidence with the processing of this sanctioning file, the
claimed understands that the conduct under examination in this proceeding is
absent of guilt. His performance, he says, “ is situated in a field alien to that of the will
infringer ” and that“ His performance had been known and recognized (if not consented)
by the AEPD itself (and even if the latter differs from this opinion, it is undeniable
that Equifax had reasonable evidence, set out above, to support
consider that it was so). "
In line with the foregoing, it states that “ all the sanctions referred to in the
Proposal for a resolution must be annulled ”.
5. The fifth claim deals with the breach of the principle of limitation of
purpose.
It states that this principle has not undergone any modification in the RGPD, since
reproduces almost entirely what Directive 95/46 / EC established on it, and,
then, it goes on to state that “ within the transposition regime of the Directive
to our Right [...] ” article 29.1. of the LOPD “did not appreciate that [...] it was
contrary to the principle of purpose limitation enshrined in Directive 96/46 / EC, "
the processing of personal data carried out by those who are dedicated to the
provision of information services on financial solvency and credit
consisting of the collection of personal data obtained from the records and
the sources accessible to the public established for this purpose.
It also affirms that “ the legal basis that justified the collection of the data object of
publication [was] obtain information on the capital solvency and credit of the
interested parties based on the available information related to them ”, and that
"This legal basis was expressly included in the LOPD, and should
its article 29.1 be interpreted in the sense that [...] the treatment was covered
in the prevailing legitimate interest of those who proceed, as my principal, to
treatment of the data, since there is an unequivocal legal authorization for said
treatment could take place ”. (The underlining is ours)
The defendant concludes her argument regarding the " breach of the principle of
purpose ” with the paragraph that we reproduce:
" In short, the data is not processed in this case
contained in the FIJ for a purpose other than the one that motivated its collection, since
this was precisely what justified the maintenance of the data in the system and its
access by the entities that are adhered to the FIJ in order to
know the solvency and credit of its debtors or potential debtors,
on the basis of a prevailing legitimate interest that, at least until entry into
validity of the LOPDGDD was expressly authorized by the regulations of
personal data protection." (The underlining is ours)
In the same line of argument it says that " this compatibility (or that character" does not
different ”from the purpose) was appreciated even after the entry into force
of Royal Decree 181/2008, of February 8, on the organization of the official gazette «Boletín
Official of the State »(hereinafter,“ RDBOE ”), to which the
Proposal". Also, after the entry into force of Law 37/2007, of 16 December
November, on reuse of public sector information and Law 19/2013, of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 100
100/184
December 9, transparency, access to information and good governance . (The
underlined is ours)
He also makes another equally surprising statement: “[...] it must be remembered that
measures adopted by RDBOE, which would reflect the restrictions that
subsequently, with regard to open data, the Group revealed
of Article 29 (hereinafter GT29) in its Opinion 3/2013 on the
limitation of purpose, [...] do not refer to data processing such as that carried out
carried out by my client through the FIJ, in which access to information is
limited to creditors or potential creditors of the interested party. These measures, by the
On the contrary, they try to avoid not an access subject to the condition of creditor, real or
potential, but an indiscriminate access to the data that is the subject of publication in the
official newspapers. " (The underlining is ours)
Insisting on erroneous statements he says: “ If one takes into account that since 2008, and
Until December 7, 2018, the RDBOE coexisted with the regime contained in the
Article 29.1 of the LOPD, it is not possible to reach any other conclusion than to consider that the
limitations to which the first cited rule refers cannot be
applicable to the case provided for in the second, which has a legal basis
specific and proper that legitimizes it. " (The underlining is ours)
6. The sixth claim deals with “the legality of the data processing in the FIJ and the
application of the weighting rule of article 6.1.f) of the RGPD. "
It states that none of the arguments contained in the motion for a resolution is
enough to refute what was stated in their allegations to the initiation agreement;
allegations that it takes for reproduced and complemented with what it now states:
That EQUIFAX has an “ evident legal basis, the concurrence of an interest
legitimate prevailing, for the treatment of the data in the FIJ. " Thus, it says that “[...]
These information systems were expressly equipped with a
presumption of prevalence of the aforementioned legitimate interest ”. (The underlining is ours)
Later he adds:
“Obviously, article 29.1 of the LOPD did not regulate the basic principles or the
legal bases of the treatment, but determined that, on the basis of principles and
legal bases identical to those contained in the RGPD, data processing
collected in it was lawful. That is, either article 29.1 of the LOPD is
exceeded the regime contained in the Directive, enabling nothing less
that a treatment that violated its articles 6 and 7 in the terms assumed by the
Proposal for a Resolution, something that no Court or the Institutions of the Union
European (and even less the AEPD itself) even hinted at any time or,
the principles and legal bases remaining unchanged, this treatment is so
according to the RGPD as it was to the Directive. This fact is undoubted, by far
that it is a question of forcing the argumentation in another sense. " (The underlining is ours)
It also states that in its previous allegations it proved that, in the
this case, concurred triple -idoneidad judgment, necessity and proportionality strictu
sensu - required by constitutional jurisprudence for the treatment carried out
by the FIJ it will be in accordance with the RGPD; weighting that, he affirms, is favorable to
legitimate interest that justifies it. Regarding the aforementioned triple judgment, it is limited to
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 101
101/184
make various considerations in relation to what was argued in the proposal of
resolution. Considerations that, for the most part, do not conform to the truth or not
they respect the context in which they were made. We reproduce some of them:
“[...] the Proposal for a Resolution: [considers] that the legitimate interest underlying the
processing of data in the FIJ is nothing more than a mere "convenience" for
"Perpetrate" what is called "intrusions a la carte" in the rights of the
interested parties (the expressions used are from the Proposed Resolution, not from my
represented). "
“[...] in the opinion of the AEPD the [CIRBE is] the only information system that contributes to
the purpose pursued by the treatment carried out by the FIJ. "
“[..] making the AEPD the principle of reasonable expectation (derived from nothing less
the fact that these systems exist in our law and have been expressly
regulated by it since 1992 and that the debtor must reasonably expect
that your creditworthiness will be assessed before obtaining a loan) in the “reasonable expectation”
of the delinquent debtor that their debt is not known and the financing is granted, even
when this damages the principles of responsible credit enshrined by the
legislator".
7. The seventh claim refers to “ compliance by Equifax with the principle of
accuracy "
He places the starting point of his argument in the necessary clarification of “ what is the
purpose of the FIJ ", since" article 5.1.d) of the RGPD links "accuracy" with "the
purposes for which "the data" is processed.
He then states that the " purpose of the FIJ" is "to reflect the existence of a debt
as stated in the announcement and at the time of its publication in the official source
correspondent". (The underlining is ours)
From the foregoing, it follows that the circumstance that the FIJ cannot show which is the
debt situation at the time of consultation does not allow rating the information
inaccurate in the terms provided in article 5.1.d) RGPD. It is not inaccurate, he says.
the one claimed - because it correctly collects the information that is necessary for the
purpose sought by the FIJ, "to help Equifax clients assess their solvency ."
Therefore, he clarifies, the information would be inaccurate if, " contrary to what the
file ” , will not correctly reflect the information that appears in the published announcement.
Conjecture that the AEPD, in order to qualify the contained data as inaccurate
in the FIJ, has proceeded in the resolution proposal, incorrectly, to associate the
" Assessment of the solvency of those affected" with information about the "situation
current "at the time of the consultation of the debt of the people."
It goes on to refer to the suitability of the information contained in the FIJ to assess the
creditworthiness of a person; suitability which, he affirms exhaustively, is out of all
doubt as has been confirmed for twenty-five years by the “ enormous number of
entities that have been resorting to the FIJ to assess solvency "He warns that a
judgment of suitability requires a thorough knowledge of the subject and that to what extent
know the AEPD is not an entity that carries out analysis in its day-to-day activities
solvency.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 102
102/184
It states that the FIJ “ covers an undeniable need of the creditor market and the
fights against delinquency and fraud ”and then states: “ [...] it is clear that
The FIJ information constitutes a complement to the files referring to the
debts contracted with in the private sector [...]. It is obvious that "in an ideal world"
it would be preferable if the FIJ could be updated as completely as it happens
with the credit information systems of article 20 of the LOPDGDD.
Unfortunately, this is not possible since the Administrations do not publish
information in this regard, without such circumstance being considered in any
case as a case of "inaccuracy" of the information, for the reasons already stated. "
(The underlining is ours)
It also argues, as it had already done in the brief of allegations to the commencement agreement,
that article 4.2 d) LOPDGDD establishes a presumption of accuracy that cannot
be misrepresented “ by the result of the AEPD investigation, not even by the
provision of evidence by the interested party ”and“ contains an imperative mandate of
disclaimer to the person who has collected the data under their
content ”.
It indicates that this provision - 4.2.d) LOPDGDD- has to be connected with the
BOE regulatory regulation that “ establishes a presumption of veracity and
authenticity of the information contained therein, which guarantees the principle of
accuracy " and concludes that" the accuracy of the information referred to the notifications
incorporated into the FIJ [...] derives directly from said publication [in the BOE] and the
LOPDGDD ”.
Finally, invoke two more arguments: That until the repeal of the LOPD
EQUIFAX “was [...] protected by the express legal authorization contained in the
Article 29.1 LOPD and the action of the AEPD for which documentation was required
accrediting the payment so that it could proceed to its deletion ”. And, regarding the accuracy of
the identification data of the alleged debtors, affirms that "he accredited during the
trial period that only proceeds to the processing of those data regarding
of which it has sufficient means to guarantee the accuracy of the information
treated . " It adds in this regard that, as a consequence of the entry into force of the
LOPDGDD, adopted measures so that only the data of
stakeholders of which there are sufficient elements to guarantee their
full identification, which has been reflected in a decrease in the number of
inclusions in the file.
8. The eighth claim analyzes the “ compliance by Equifax with the principle of
data minimization. "
The defendant states that the statement made in the proposed resolution in
relation to the infringement of the principle of minimization of data that is imputed to him does not
allows us to discern its connection with the aforementioned principle. He adds that “ nowhere in
The Proposal indicates that the collection of data referring to the name, surname,
identification document, address and characteristics of the debt contracted are not
adjusted to the aforementioned purpose nor is a trial or proportionality assessment carried out
some about it. " It concludes that the aforementioned offense appears to have been included in the
resolution with “ a mere intention to increase, [...] in a completely
the reproach directed against ” EQUIFAX.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 103
103/184
It indicates that the reasoning of the AEPD in the proposed resolution leads to,
when it is considered that a certain treatment violates the principle of
limitation of the purpose (which the defendant denies) “ would also breach the
minimization principle, since more data would be processed from
those legally enforceable in the opinion of the Agency. This argument, by definition
it would be inadmissible, [...] "
Finally, it adds that, as a consequence of the entry into force of the LOPDGDD,
“ Has put into practice measures aimed at making the data processing result
adjusted to the principles of accuracy and minimization and that only the
treatment in the event that compliance with such principles is guaranteed, for
which is not enough to understand the effect that the entry into force of said provision
can lead to the alleged violation of the principle of minimization. "
9. Ninth claim, relative to the non-existence of infringement of article 14 of the RGPD.
Regarding this violation, the respondent analyzes three different scenarios.
(i) The regime prior to the entry into force of the LOPDGDD, in which, it affirms, it is
waived the obligation to inform interested parties of the processing of their data
personal activities carried out at the FIJ, as confirmed by a “very reiterated
jurisprudence ”that determined that as of the SAN of 02/27/2008 the AEPD did not
issue any sanctioning resolution for breach of the obligation to
notify.
(ii) The existing regime during the validity of the LOPD, as of the date on which the
dictates the judgment of the CJEU of 11/24/2011. He considers that the situation was identical to the
above and that it was the motion for a resolution that " creates ex novo " a line
argumentation that understands that the previous criterion was modified from the aforementioned
STJUE. In the opinion of the complainant, the proposal eliminates “ the possibility of founding the base
of the FIJ in the provision of article 29.1 LOPD ”. Therefore, it requires that the
exclusion from the duty to inform did not derive from the nature of the sources
obtained the information, but from article 29.1, in relation to 29.4 and in relation to
article 5.5. LOPD.
(iii) The system after the effective application of the RGPD, in which EQUIFAX has
considered " necessary to comply with the duty to inform." After which, add
that, “ although he could have considered that the causes that exonerated him from said
obligation under the LOPD that, do not forget, remained in force until 7
December 2018, they continued to protect him. " This commitment made as a result of the
effective application of the RGPD has materialized in the “ notification to all
interested in the inclusion of their data in the FIJ ", which constitutes a" commitment
additional entity with the guarantee of the right to data protection ”.
The respondent affirms that the proposal considers that “ this duty of information is not
has complied with the data included in the FIJ prior to entry into
validity of the LOPDGDD, that is, when there was a rule that excluded the duty of
information."
It also states that after the entry into force of the LOPDGDD it could be distinguished
" Two types of data" :
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 104
104/184
(i) Those introduced prior to the entry into force of the RGPD, with respect to the
which says that “[...] the principle of minimization and the cited interpretation of Article 11
excluded the possibility of obtaining additional information with the sole protection of giving
compliance with the duty to inform ”. Regarding article 11 of the RGPD, it indicates that
interpret by analogy, as it affects the processing of data additional to those
required for the fulfillment of the purpose of the treatment, the provisions of that
precept, according to which “[s] i the purposes for which a controller processes data
personal data do not require or no longer require the identification of a data subject by the
responsible, it will not be obliged to maintain, obtain or process information
additional in order to identify the interested party with the sole purpose of complying with the
these Regulations ”. It therefore considers that it could be concluded that, if the purposes of the
treatment does not justify the processing of additional data, could not hide behind the
compliance with the RGPD to collect such data.
(ii) Those incorporated into the FIJ after said entry into force, with respect to the
that Equifax chose, compared to the other entities in the sector, to comply with the
Article 14, proceeding to notify all interested parties of the incorporation of their
data to FIJ.
It concludes that it has fully complied with the duty of information regarding all
those treatments carried out since the entry into force of the RGPD, therefore, “Under the
previous regulation (LOPD) was exempt from complying with this obligation. " and after
" The entry into force of the RGPD, the provisions
in article 14.5 a) of the RGPD, as the information is impossible or requires efforts
disproportionate, something that the Proposal itself explicitly recognizes. "
EIGHTEENTH: Letter from EQUIFAX requesting that reports be sent to it
internal SGRGPD and the suspension of the term to formulate allegations to the
motion for a resolution.
On 04/07/2021 a letter from EQUIFAX addressed to the Sub-Directorate was received at the AEPD
of Inspection of the AEPD in which it states that, through the Cabinet Report
Legal 89/2020, has been made aware of the existence of two reports issued by
the General Subdirectorate of the General Data Protection Registry of dates
01/25/2019 and 09/18/2020. It indicates that, since they are relevant to the defense of their
rights within the framework of the PS / 240/2019, requests that this Sub-Directorate be sent
copy of both documents. It requests that “ the suspension of the
deadline for the issuance of the allegations to the Proposal for Resolution during the
period between the present request and the referral of the reports to it
requested. "
The Deputy Director General of Inspection addresses the Deputy Director of the RGPD in writing
signed on 04/08/2021 and gives you transfer of the letter sent by EQUIFAX for the purposes
timely. On 04/09/2021, the written Inspection Sub-Directorate of the
Deputy Director of the RGPD informing that on that date he has proceeded to transfer to
EQUIFAX of the requested reports.
Of the actions carried out in this procedure and of the documentation
Obrante in the file, the following have been accredited:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 105
105/184
PROVEN FACTS
FIRST: The documents that the claimants
sent to this Agency with their claim or in a subsequent process, informing
of the annotations for debts that appear in the FIJ on the date that appears in the
corresponding document, linked to your personal data (name, surname and
NIF; Name and surname; only NIF or, sometimes, some of those data combined
with address).
The information provided by the documents provided by the claimants on the
annotations for debts linked to your personal data has been collected in the
Second antecedent of this proposal. To said Second Antecedent, the
information from the documents provided, indicating the date that appears on the
informative document of EQUIFAX, the personal data that identifies the
claimant, the date of registration of each entry, the source from which the
information, the creditor Administration and, where appropriate, the amount of the debt and the
concept of non-payment.
Therefore, such information collected in the second Antecedent relative to the
claimants constitutes a proven fact integrated into this First Proven Fact
in which it is considered reproduced.
SECOND: According to the documents in the administrative file
related to the result of access to the FIJ that the claimants contributed to this Agency
it has been verified that, after the date of entry into force of the
LOPDGDD, on 12/07/2018, being the origin of the TEU-BOE information, they were given
high annotations for alleged debts. These cases include those of
claimants 9; 10; 15; 31; 77; 83; 87 and 89.
THIRD According to the documents in the administrative file, the
evidence that the identification of the interested parties carried out by the FIJ takes into
consideration of the address data for lack of NIF. We refer to the assumptions
raised by the complainants 18; 27; 27; 30 and 33, among others.
Likewise, there are annotations for debts in which the date of registration of the annotation
-in which EQUIFAX places the initial term for the computation of the maximum time of
permanence of the data in the file, which is six years - it is after the date
expiration date of the obligation. This is the case of claimant 18; 26; 29 among others.
FOURTH: That, according to the documentation in the file, the FIJ
reflected non-existent debts with respect to the claimants identified with the numbers
37; 38; 40; 41; 42; 48; 50; 52; 53; 54; 59; 62; 75 and 95. There are very many claimants
that without providing documentation that proves it, they deny the existence of the debt that
it appears in the FIJ.
FIFTH: EQUIFAX affirms that the number of natural persons of those who existed in
The FIJ data records active during the last six years is shown in the
following two tables that it provides:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 106
106/184
-A table with the " average number " of natural persons who, in the period 2016-2021,
featured in the FIJ:
Year 2016: 4,624,312; year 2017: 4,879,391; year 2018: 4,940,225; year 2019:
4,657,196; year 2020: 4,183,445; year 2021: 3,826,436.
- A table with the number of natural persons that have been included in the FIJ since
on 05/25/2018:
In the year 2018: 196,653; in 2019: 62,113; in 2020: 20,193 and in 2021:
2,358.
The entity states that since 05/25/2018 a total of
282,037 natural persons and that most of the records that remain in the
file are prior to the entry into force of the RGPD.
SIXTH: EQUIFAX affirms, in response to the requested test, that the criteria that
uses the FIJ to organize the personal data that are subject to treatment with the
The purpose of their holders being duly identified, are the
following:
a) If only the NIF / NIE is published: then “it is verified whether on the date of
publication, the NIF / NIE in question, is registered in the active information
of the FIJ (excluding therefore the one that is blocked). Depending on the result
obtained, different actions are carried out : "
a´) If the identifier is already included in the FIJ associated with a name and surname,
registers in the FIJ the new published information.
a´´) If that identifier is not included in the FIJ, the recording of the registry is discarded .
b) In the event that the name and surname and incomplete NIF / CIF are published:
d skip the recording of the data in the FIX file
c) Cases in which name + surname + address is published: It proceeds
to the recording of the record in the FIJ file, associating both data.
d) Cases in which only name + surname appears published: In this
Of course, the recording of the data in the FIJ file is discarded .
(The underlining is ours)
"
SEVENTH: EQUIFAX, in response to the question asked regarding the protocol that
has been in place for the past six years to ensure that data
personnel that incorporated the FIJ were duly updated, in all
moment, it states the following:
“To ensure that the data captured in the FIJ is up-to-date, Equifax is
mainly based on:
1) Limitation of the sources from which the FIJ file is fed: as already reported in
our previous writings, Equifax collects the information that is registered in the FIJ of
the Official Gazettes published by the State, the Autonomous Communities,
Provincial Councils.
The exclusive use of this source guarantees that all the information that is
collect is considered official and authentic as indicated in article 3.1 of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 107
107/184
Royal Decree 181/2008, of February 8, on the organization of the official gazette << Bulletin
Official of the State >>. Therefore, the use of this source is, in our opinion, a
guarantee that there are no doubts about the updating and veracity of the
information incorporated into the FIJ.
Newsletters are downloaded the same day they are published, so the information
of the FIJ is updated on a daily basis with the information contained in the Bulletins.
2) Automatic information capture processes: downloading the newsletters and the
subsequent registration of the data in the FIJ is done through automated processes
thus avoiding possible errors from manual processes. For reading
the data of the newsletters are used OCR reading processes that guarantee the
correct reading and recording of the data published in the bulletins
3) Recording criteria: as we have indicated in the answer to the first
request for information from the AEPD, Equifax has implemented criteria of
specific recording and already detailed previously to that AEPD, in order to ensure that
the holders are unequivocally identified for their inclusion in the
FIX. These criteria guarantee that there is only data of holders duly
identified
4) Notification of inclusion: this part has been making to the holders whose data have
been collected since May 25, 2018, a specific notification of your
inclusion in the FIJ, as a measure to guarantee the updating of the data. Said
communications allow interested parties, in a free and simple way,
check if indeed the data that have been published by the different
Official bulletins that have been collected by my client contain some error.
5) Attention to Exercise of rights: by attending to claims of the
holders in the exercise of their rights, the interested parties may, in accordance with
provided for in the data protection regulations, know what data is included in
the FIJ, for what purpose they are used, and, at all times, rectify, cancel, oppose and
limit the processing of your personal data. " (The underlining is ours)
EIGHTH: EQUIFAX affirms that during the validity of the LOPD it did not notify the
affected the inclusion of their data in the FIJ, conduct that justifies the existence of
" An express endorsement in this regard by the National High Court" that in
numerous judgments -SSAN of 06/29/2001 (Rec. 1012/1999); 11/29/2001
(Rec. 531/2000) and of 02/27/2008 (Rec. 358/2006) - declared that the
data protection contained in the LOPD, article 29.1., did not impose an obligation
to notify the interested parties of the inclusion of their personal data in the FIJ.
NINTH: EQUIFAX states that, after the entry into force of the RGPD, it has considered
It is appropriate to notify the inclusion to those affected whose data were recorded in the FIJ.
It also affirms that, since 05/25/2018, the sending
out of a total of 509,470 notifications, which is broken down as follows
(year / notifications sent): 2018: 339,436; 2019: 116,236; 2020: 47.3888; 2021:
6,407.
It does not provide documentation that proves its manifestations, despite having requested
expressly.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 108
108/184
TENTH: Regarding the total of notifications of inclusion that EQUIFAX claims to have
sent to those affected, has reported those that were unsuccessful, broken down
for the following return reasons:
01, wrong signs; 02, deceased; 03, unknown; 04, absent; 05, refused; 06,
others; 07, insufficient address; 08, wrong address.
Unsuccessful notifications for years:
-. Year 2018 Total unsuccessful claims: 66,418. Of them, for reasons 01 and
03 a total of 61,182.
-. Year 2019 . Total unsuccessful claims: 24,812. Of them, for reasons 01 and
03 a total of 22,797.
-. Year 2020 Total unsuccessful claims: 9,673. Of them, for reasons 01 and
03 a total of 8,873.
-. Year 2021. Total unsuccessful claims: 1. Reason 01: 1.
It is found that reasons 01 and 03 represent more than 90% of the notifications
unsuccessful.
ELEVENTH: In the final version of the RAT corresponding to the FIJ that EQUIFAX has
provided, point 8, "Information deletion periods ", reads as follows:
" The information is accessible for 3 months and then is stored in a directory
Linux in order to be able to work later with the data. Bliss
The information, saved in “PDF” format, will be available for a period of 10
years from the date of publication, and this with the sole purpose of being able to attend the
possible claims and respond to requests for information by the
competent administrative body, as well as the courts and tribunals. "
TWELFTH: In the document provided by EQUIFAX regarding the interest analysis
prevalent (LIA, judicial file, 2019), in point 7, and in the section dedicated to the
measures that it is proposed to implement, specifically regarding the guarantees of the
principles of data protection, consists of the following:
"1.1 Principle of purpose" "On the other hand, the principle of purpose includes the limitation
of the subsequent uses of the data, since the RGPD prohibits in its article 5.1 a)
the subsequent processing of the data for purposes incompatible with those that motivated its
collection, although it exempts from this limitation the use of data for archiving purposes
public interest or scientific or statistical research. " (The underlining is ours)
"1.4. Principle of accuracy ”“ In compliance with this principle and given that the
Edict publication only recognizes the existence of the obligation to satisfy the
owed, but there is no additional information that allows to know
effectively if that amount is owed at the time of notification of
inclusion, a possible solution to this problem would be the limitation of very
brief references to the aforementioned communications, and in the analyzed system this
This requirement is met, as the term is reduced to the publications that have occurred in the last
five months. However, this reduction does not allow us to fully bypass the
risk derived from the treatment of these data, being able to see the qualification of a
negatively interested by the fact of incorporating an edict notice
referred to a debt already paid in the same way that it could be affected
favorably the subject to whom a notification had been made with a
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 109
109/184
seniority of more than five months and had not proceeded to pay the amount
owed. " (The underlining is ours)
THIRTEENTH: The Deputy Director General of the General Registry of the AEPD, in the
Written response to the requested test, dated 02/10/2021, states that, in
that date, the draft code of conduct presented by ASEDIE for its
approval by the AEPD was in process, pending the report of the
Legal Office of the AEPD, and that the aforementioned Association had not been transferred
of any report issued on the draft code of conduct.
FOURTEENTH: Work in the administrative file the response of the Secretariat
General of AEBOE to the consultation of several claimants (among others the claimant 55)
about whether it is lawful for your personal data to be collected, which appears in the
notifications inserted in the BOE Notification Supplement, to
incorporate them into a profit-making database in which it concludes:
"In accordance with the foregoing, this State Agency considers that the reuse of
personal data such as names, surnames, ID associated with debts, published
in the BOE, that you. requests, it would not be a lawful treatment of personal data
of those provided for in art. 6 of RGPD and, therefore, in accordance with the regulations both
in Regulation (EU) 2016/679 as in Organic Law 3/2018, of December 5,
they should not be subject to reuse by third parties. "
FIFTEENTH: The defendant affirms that the net amount of the turnover of
EQUIFAX IBÉRICA, as of 12/31/2019, amounted to € 42,259,655.
Regarding the “ direct income in relation to the service of access to the FIJ provided
to customers directly since 2015 ” reports these amounts:
€ 316,204 in 2015; € 291,950, in 2016; 289,854 in 2017; € 290,256 in 2018;
€ 269,415 in 2019 and € 1,734,763 in 2020.
He makes three qualifications that affect the amounts he has provided. That can not
determine what part of the price that customers who hire globally satisfy
other services together with the FIJ should be imputed to the FIJ. That neither can
break down of the direct income obtained which part corresponds to access to the FIJ
to obtain information from legal entities. And that the direct income figure does not
takes into account costs, as the entity lacks a system for allocating
costs linked to each of the files it manages.
FOUNDATIONS OF LAW
I
Competence
The Director of the Spanish Agency is competent to resolve this procedure
of Data Protection, in accordance with the provisions of article 58.2 of the RGPD
and in articles 47 and 48.1 of the LOPDGDD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 110
110/184
II
Applicable provisions
The RGPD dedicates its article 5 to the principles that govern the processing of data
personal, precept that provides:
"1. The personal data will be:
a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness,
loyalty and transparency ”);
b) collected for specific, explicit and legitimate purposes, and will not be processed
subsequently in a manner incompatible with said purposes; in accordance with article 89,
section 1, the subsequent processing of personal data for archiving purposes in
public interest, scientific and historical research purposes or statistical purposes are not
deemed incompatible with the original purposes ("purpose limitation");
c) adequate, relevant and limited to what is necessary in relation to the purposes for which
that they are processed ("data minimization");
d) accurate and, if necessary, up-to-date; all measures will be taken
reasonable so that the personal data that
are inaccurate with respect to the purposes for which they are processed ("accuracy");
e) maintained in a way that allows the identification of the interested parties during the
longer than necessary for the purposes of processing personal data; the
Personal data may be kept for longer periods provided that
treat exclusively for archival purposes in the public interest, research purposes
scientific or historical or statistical purposes, in accordance with article 89, paragraph 1,
without prejudice to the application of the appropriate technical and organizational measures that
imposes these Regulations in order to protect the rights and freedoms of the
data subject ("limitation of the conservation period");
f) treated in such a way as to guarantee adequate data security
personal data, including protection against unauthorized or illegal processing and against
its loss, destruction or accidental damage, through the application of technical measures
or appropriate organizational ("integrity and confidentiality").
Article 5 of the RGPD adds in its section 2 that " The person responsible for the treatment
will be responsible for compliance with the provisions of section 1 and capable of
prove it ("proactive responsibility") "
Article 6.1. of the RGPD, under the heading " Legality of the treatment ", specifies the
cases in which data processing is considered lawful:
"1. The treatment will only be lawful if it complies with at least one of the following
terms:
a) the interested party gave their consent for the processing of their personal data
for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
responsible for the treatment;
d) the treatment is necessary to protect vital interests of the interested party or of another
Physical person.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 111
111/184
e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that on said
interests do not override the interests or fundamental rights and freedoms of the
interested party who require the protection of personal data, in particular when the
interested is a child.
The provisions of letter f) of the first paragraph will not apply to the treatment
carried out by public authorities in the exercise of their functions.
[....]
4. When the treatment for a purpose other than that for which the data were collected
personal data is not based on the consent of the interested party or on the Law
of the Union or of the Member States that constitutes a necessary measure and
proportional in a democratic society to safeguard the stated objectives
in article 23, paragraph 1, the data controller, in order to determine
if the treatment for another purpose is compatible with the purpose for which they were collected
initially personal data, will take into account, among other things:
a) any relationship between the purposes for which the data was collected
personal and the purposes of the planned further processing;
b) the context in which the personal data was collected, in particular for what
Regarding the relationship between the interested parties and the person responsible for the treatment;
c) the nature of the personal data, specifically when categories are processed
special personal data, in accordance with article 9, or personal data
relating to convictions or criminal offenses, in accordance with article 10;
d) the possible consequences for the data subjects of the planned further processing;
e) the existence of adequate guarantees, which may include encryption or
pseudonymization. "
III
Of the alleged nullity of this procedure.
It is necessary to examine, first, the question relating to the invalidity of the
sanctioning procedure that the respondent has repeatedly invoked, both in its
two briefs of allegations to the commencement agreement - dated 02/19/2018 or earlier
allegations to the commencement agreement and the one dated 01/24/2021 or allegations
Complementary - as in the allegations to the proposed resolution.
In particular, in the brief of allegations to the proposed resolution, it uses the
concurrence of the causes of absolute nullity provided for in sections a) and e) of the
Article 47.1 of the LPACAP and affirms that these defects of nullity have generated a
material and real defenselessness since in addition to not being a violation
merely formal has suffered a real and effective impairment of the right of defense,
with the consequent damage.
The following behaviors that relate in the letter your allegations to the proposal
would have caused, in his opinion, the defects of nullity that he claims:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 112
112/184
to. The inclusion of the amount of the sanctions in the initiation agreement, which constitutes
a defect of absolute nullity provided for in article 47.1.a) LPACAP.
With this, it reiterates its allegations to the agreement to open the procedure in which
argued that the procedure was invalid due to the defenselessness
generated by having fixed in it the amount of the sanction instead of expressing only the
limits of the possible sanction. That, due to this circumstance, the initiation agreement exceeded
of the legally foreseen content, violated article 68 of the LOPDGDD, and it was seen
affected the impartiality of the investigating body, which it knew before starting the
procedure the criterion of the body to which the file must be submitted, in clear
breach of the principle of separation of the investigation and sanction phase (article 63.1 of
LPACAP).
It also considered in these allegations that the rules of article 85 of the LPACAP
were not applicable to the present case but to the cases in which the norm
sanctioning system imposes a fine of a fixed and objective nature and that the application
had made this precept in the initial agreement did not respect its literal wording,
according to which the amount of the pecuniary sanction may be determined “ beginning on
sanctioning procedure ”, for which, he affirms, it would be assimilating“ the act itself
of initiation with the fact that the procedure is initiated ”.
As stated in the proposed resolution, this Agency cannot share the
position of the defendant that the sanctions have been included in the initiation agreement
that could correspond for the imputed infractions is determinant of
defenselessness or supposes a breakdown of the principle of separation of the
instruction and resolution; on the contrary, this fulfills the requirements
provided for in articles 64.2 and 68 LPACAP.
It cannot be ignored either that article 85 of the LPACAP -which contemplates the
possibility of applying reductions on the amount of the sanction in the event that
the offender recognizes his responsibility and in case of voluntary payment of the sanction-
obliges to determine these reductions in the notification of the agreement to initiate the
procedure, which necessarily implies that the
amount of the sanction corresponding to the imputed facts.
On the other hand, compared to what was expressed by the complainant, article 85 of the LPACAP does not
It provides that the amount of the sanction will be determined once the procedure has begun .
Rather, it is the recognition of responsibility and voluntary payment of the
sanction what has to occur after that moment and not the fixation of the
amount of the penalty.
EQUIFAX considers that this interpretation of the AEPD - according to which "the determination
of the amount of the sanction and the consequent evaluation of the circumstances
the case comes from [...] what is established in article 85 LPACAP ”- it is contrary to
the Spanish Constitution since, it says, violates the protection of the rights of
fundamental factors that are granted through it and that the “ efficiency that could
be followed with the determination of the amount of the sanction in the initiation agreement never
could justify the violation of the fundamental rights of the accused that such an act
situation entails ”.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 113
113/184
In addition to what has already been stated in the proposal phase, the AEPD understands that the interpretation
The literal interpretation of the precept that he has been doing is congruent with the provisions of the
different sections of the article and that it is not up to this body to rule on
on the alleged unconstitutionality of this legal provision. On the other hand, the Chamber
of the Administrative Litigation of the National High Court has resolved numerous
courses against AEPD resolutions issued in procedures whose agreement to
The beginning set, as in this one, the amount of the penalties, without having been raised by
the appellants or by the Court the controversy over the interpretation and application of
the rule that the claimed raises.
On the alleged breach of the principle of separation of the phases of investigation and
resolution derived from having established the adjudicatory body in the agreement to initiate the
size of the sanction, thus conditioning the independence of the instructor, it does not seem that
In the assumption that concerns us, the conditioning of the insti-
tructor referred to by the claimed.
b. The violation by the AEPD of the rules that regulate the procedure
sanctioner regarding the protection of personal data and " the consequent
expiration at the end of the procedure ” , which entails a defect of nullity of the article
47.1.e) LPACAP.
EQUIFAX maintains that the AEPD has totally and completely dispensed with the procedure
to legally established in articles 64 and 67 of the LOPDGDD and has incurred
a abandonment of the powers attributed to it by the LOPDGDD and the RGPD. Let-
tion that has caused damage " because it has been considered by the AEPD
as an aggravating circumstance of the type the continuing nature of the alleged infringement
during the period in which that AEPD declined to carry out any infringement against
Equifax ”.
Regarding the procedure, it transcribes articles 64.2 and 67 of the LOPDGDD and says
that from these provisions it is unequivocally deduced that the LOPDGDD, by ra-
areas of legal security for the company, has established a procedure for
frozen and with clearly marked time limits ”. Consider, therefore, that
The admission for processing of the claim must be followed without solution of continuity
within three months; the optional performance of investigative actions
for a maximum period of twelve months and the opening of a sanctioning procedure.
dor. It thus affirms that the admission for processing of a claim by the AEPD su-
recognizes the existence of indications of violation of the regulations of
data protection and this should imply - argues EQUIFAX - that they are carried out
prior investigation actions or, if you consider that the infringement is manifest,
as appears to be the case in the present case, that it proceed immediately to the opening
of the sanctioning procedure.
In view of the foregoing, the respondent draws the “ obvious consequence ” that if the
first claim was admitted on May 30, 2019 and the AEPD decided not to carry out
carry out investigative actions "the Agreement to initiate this procedure
should be from that date, so, being the maximum duration of the procedure of
nine months, the resolution [...] should have been issued on March 2, 2020 ”. Y
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 114
114/184
adds: “ In this way, the AEPD issued the Initiation Agreement long after
the date on which it should have issued a resolution if it had complied with the specific requirements
established in the data protection regulations, with which all actions
they should be considered expired. " (The underlining is ours)
It also refers to the situation of "inactivity" in which the AEPD estimates incurred in
in relation to the claims that were filed against EQUIFAX related to the FIJ.
He supports this conclusion in that of the 97 claims (96, since the claims are repeated
3 and 27) admitted to EQUIFAX, only some of the
they; in which, although all were admitted for processing, some were “ without a minimum
legal reasoning ”; in which the first claim (claimant 25) entered the
AEPD on 05/30/2019 and in which the AEPD did not carry out investigative actions
prior, for which, he affirms, from the admission to processing of the claims until the
the Agency dictates the agreement to initiate the sanctioning procedure that concerns us, the
07/24/2020, did not take any other action.
The procedures carried out by this Agency to which the complainant refers must
see with the process of admission of the claims received, which included to
some of them the transfer of the claim letter to the person in charge prior to the
agreement of the AEPD of its admission for processing.
In accordance with the provisions of article 55 of the RGPD, the AEPD is competent
to perform the functions assigned to it in its article 57, including that of
enforce the Regulation and promote the awareness of those responsible and
processors about their obligations, as well as
deal with claims submitted by an interested party and make the necessary
relevant research.
Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of the treatment to cooperate with the control authority that requests it in
the performance of their duties. In the event that they have designated a
data protection officer, article 39 of the RGPD attributes to him the function of
cooperate with said authority.
Article 65.4 of the LOPDGDD has provided a mechanism prior to admission to
processing of claims made before the AEPD which consists of giving
transfer of them to the data protection delegates designated by the
responsible or in charge of the treatment, for the purposes provided in article 37 of
the aforementioned norm, or to these when they have not been designated, so that they
analysis of said claims and to respond to them within a month. It is about
of an optional procedure , so that this transfer is carried out if the AEPD so
esteem.
In accordance with these regulations, prior to the admission for processing of the
claims that give rise to the present procedure, the defendant was notified
of some of the claims received so that it could proceed to its analysis, give
response to this Agency within a month and will certify having provided the
complainant the proper response.
The result of said transfer was not satisfactory, therefore, for the intended purposes
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 115
115/184
In its article 64.2 of the LOPDGDD, it was agreed to admit the claims for processing
presented through agreements that were duly notified to the claimants
and not the one claimed, in accordance with the provisions of article 65.5 of the LOPDGDD.
The defendant affirmed in her allegations to the initial agreement that the preliminary phase of
investigation remained open for more than sixteen months without conducting any
activity. In this regard, we must emphasize that the opening of a preliminary phase of
The investigation is optional in accordance with article 67 of the LOPDGDD.
No legal consequence can be attributed to the time elapsed between the
admission to processing of claims and the opening of the procedure, as there is no
no rule that limits the time available to the Administration to initiate this
type of procedures beyond the prescription rule and the effects
attribute.
The defendant draws attention to the inactivity of the AEPD which, in her opinion, is
reveals in the time elapsed between the receipt of a claim and
the opening of the sanctioning procedure. In relation to claimant 25, whose
claim entered the AEPD on 05/30/2019, considers that, since it was decided not to
transfer the claim or open preliminary investigation proceedings, it should
the agreement to open the sanctioning file has been issued in that same
date, 05/30/2019, so the resolution should have fallen on 03/02/2020, several
months before the Agency agreed to open the sanctioning procedure
that occupies us.
EQUIFAX understands that this unjustified inactivity results in the expiration of the
present procedure , given that the term to resolve would be expired in the
same date the initiation agreement was issued. In this sense, it considers that
Articles 64.2 and 67 of the LOPDGDD establish three successive phases without solution of
continuity (admission for processing, preliminary investigation actions and opening of the
sanctioning procedure), each of them with marked time limits,
so that, if you choose not to carry out prior investigative actions, once
admitted for processing the claim must proceed immediately to the opening of the
sanctioning procedure.
This approach of the defendant is not admissible. It should be noted that no
There is no rule applicable to the sanctioning procedure in matters of protection
of personal data that establishes a preclusive period to agree to its opening. What
the expiration period of this procedure, established in nine months, is computed
from the date on which its start is agreed, so it is inappropriate to add to that
computation, in order to measure the duration of the administrative file, another period, such
such as the time of the preliminary investigation actions, in the event that
had agreed to carry it out, or, in this case, the time corresponding to the phase
of admission to processing of the presented claims.
This has been repeatedly stated by our Supreme Court. In Judgment of
10/21/2015 cites the Judgment of 12/26/2007 (appeal 1907/2005), which declares the
following:
“[…] The term of the procedure […] is counted from the initiation of the file
sanctioner, which obviously excludes information time from the computation
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 116
116/184
reserved ";" […] The longer or shorter duration of the preliminary phase does not entail the
expiration of the subsequent procedure ".
Also in Judgment of the Supreme Court of 10/13/2011 (resource 3987/2008) that
examines a ground of appeal relating to the computation of the expiration period of the
procedure, the following is declared:
“We cannot share the reasoning presented by the Court of Instance to establish a
dies a quo different from that established by law, indicating as the initial date of the
computed the day after the completion of the preliminary information proceedings.
[…]
Well, once these previous actions have been carried out, the time it takes for the
Administration in agreeing to initiate the procedure […] may have the
Consequences that proceed as regards the calculation of the prescription (extinction of the
right); but it cannot be taken into consideration for expiration purposes, since
This figure is intended to ensure that once the procedure has begun, the
Administration does not exceed the time available to resolve. On the foundation
third of the sentence under appeal, the Court of Instance makes an interpretation of the
norm that is not in accordance with the nature of the institution of expiration, since
difference from the prescription, which is cause of extinction of the right or of the
responsibility in question, expiration is a mode of termination of the
procedure for the course of the period set in the norm, so its appreciation
does not prevent, if the period established for the prescription of the action has not elapsed
of restoration of urban legality by the Administration, the
initiation of a new procedure ”.
Explaining the alleged inactivity of the AEPD, it cannot even be considered that
that period to which the claimed refers, which includes the time elapsed
between the admission for processing of the claimant's claim 25 and the opening of the
procedure that concerns us, is a period of inactivity of this Agency, given
that during that time the admission procedures of the rest of the
claims.
c. Among the conducts that would have vitiated the radical nullity of the procedure that
We are concerned with the claim mentioned the " main circumstances " that have been
produced during the processing, the overview of which shows that the
procedure has been processed with a complete and repeated undermining of the
rights granted within the framework of the administrative sanctioning procedure
paragraphs 1 and 2 of article 53 of the LPACAP and for this purpose it refers to the following
circumstances:
1 No investigative actions were carried out prior to the opening of the
agreement to initiate the sanctioning procedure.
2.Delay in the submission of the copy of the administrative file: it is received by the
the penultimate day of the ordinary period granted to allege, although it is granted for
the AEPD the extension of the term for the maximum legally allowed, five days, and in
Consequently, he receives it with only six days remaining to issue his pleading brief.
tions. Remember that the file forwarded had an extension of 2,974 pages.
3.On 12/23/2020, the AEPD sends you a letter stating that “ it has been verified that
that, unfortunately, an incident of a technical nature curtailed part of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 117
117/184
documentation that was part of the administrative file ” . It says that in the aforementioned writing
It is not granted a period of allegations since it was limited to indicating that the instructor did not
would proceed to the opening of the test phase until at least ten days have elapsed
working hours computed from the date of notification of the writing. He adds: “ All this without
any reference to the principle of integrity of the electronic administrative file
sacred by article 70.3 of the LPACAP ”.
4. “ The aforementioned file turned out to be increased to 4,319 (that is, an ex-
voltage higher by more than 45% than that of the file originally submitted), which
which motivated my client to expressly request the granting of a period for the
issuance of allegations and that the term for this be extended. The AEPD was limited to res-
ponder said request indicating the specific date on which it would agree to open the petition.
trial period, but without expressly granting my client any period to
allegations. " (The underlining is ours)
5.The test phase does not start until 01/20/2021, when almost
six months from the opening of the initiation agreement.
6.The proposed resolution is notified to EQUIFAX on 03/29/2021. In it, the two im-
initial putations, contained in the initiation agreement, are expanded with three new
fractions “ without any of them having resulted from obtaining information
any additional charge that could have justified this triple charge ”. Warn no
we are before a new legal classification of the infractions but before three new
infractions added by the AEPD “ [...] in the last step of the procedure, three
new accusations on a legal basis that could have been used in his
integrity at the time the Initiation Agreement is issued ”.
7.That, in accordance with the changes introduced with the proposed resolution, it was requested,
under the protection of article 32.1 LPACAP, the extension of the period of allegations by the
maximum legally allowed (five days). However, " the AEPD limits said expansion
within a single day in view of the evident risk of expiration of the procedure ”.
It states that “ In this way, it seems to deny my client a right that the law
granted as a consequence of the delay in the processing of the sole procedure-
attributable to the actions of that AEPD, which in no case should result in
to the detriment of the Administrator. " (The underlining is ours)
Regarding what was indicated by the complainant in point 1, we refer to the
considerations made in section b) above.
Regarding the statement contained in point 4, according to which the documentation that
it was not sent to EQUIFAX on 08/12/2020 it represented “ more than 45%” of the file
It should be noted that it incurs a numerical error, since the folios that the file
not incorporated into the requested copy accounted for slightly less than 33% of the
documentation that integrated it.
For the rest, the circumstances that the respondent details in her allegations to the
motion for a resolution, in particular what is indicated in points 2, 3 and 4, were
also raised in its two briefs of allegations to the initiation agreement. Invoked
then the helplessness suffered as a result of having seen limited and
ostensibly reduced their ability to make “ complete and
informed ” against the agreement to initiate the disciplinary proceedings.
In its second brief of allegations to the opening agreement, it requested that it be declared
the nullity of full right of the administrative sanctioning procedure whenever
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 118
118/184
the actions of the AEPD violated his right of defense. He then stated that
had violated articles 65.2.f) and 89.1 of the LPACAP because “ the process of
hearing of the interested parties and the right of the applicant to formulate
allegations, in view of the administrative file, are configured as a guarantee
essential of the procedure, being the reflection in the administrative procedure
sanctioner of the right to effective judicial protection that assists the accused. "
The omission of the hearing process would have materialized, in his opinion, in these
behaviors:
On the one hand, in that he could not have a real knowledge of the file except with the
scope of which he was notified before he made his allegations to the agreement of
beginning. That four months after submitting his allegations to the
initiation agreement, the AEPD sent him a full copy of the file that stated
manifest that in the first copy received, more than 30 percent of the
file, without there being any correlation between the indices of the two copies. For other,
The omission of the hearing process was specified in his understanding that the AEPD, in the
writing that notified him on 12/23/2020, did not give him a period to make allegations to the
starting agreement but, says the entity, "[...] the concession or grace consisting of
delay the start of the trial period for a period of ten days from the date of
delivery of the aforementioned "completed" or "supplemented" file.
On the questions then raised by EQUIFAX, various
Clarifications in the motion for a resolution regarding certain factual elements
to which the entity alluded when it based its request for the radical nullity of the
administrative Procedure.
One of the clarifications was about the electronic file that the AEPD has
implemented, which guarantees the authenticity and integrity of the documentation and that
reflects all the actions carried out in a given procedure and all the
documentation that integrates it.
In the electronic file, the computer system orders the documents and
procedures carried out exclusively following a chronological criterion. It's own
system that generates or makes the copy of the file, so that this
This circumstance, together with the extraordinary volume of the file, made that, in the
generated to respond to the transfer requested by the claimed on 08/03/2020, no
would have detected that not all of the documentation that
integrated. The fact that the 1,435 documents omitted in the first copy
appear in the copy transferred to the one claimed in December 2020 interspersed
with the previous ones, with the consequence that the index initially provided looked
also altered, it was the result, exclusively, of the chronological criterion that the
computer system to order documentation.
The second precision was related to the statement made by EQUIFAX of
that the AEPD did not grant him a period to formulate additional allegations to the
initiation agreement once she had access to the full copy of the file
administrative. We refer in this regard to Background Eight, Ninth and
Tenth in which the " iter" of the events is detailed . The Eighth Antecedent
refers to the letter that the instructor sent to the complainant on 12/23/2020 in the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 119
119/184
that, in addition to informing you that on that date a CD, encrypted,
with the complete copy of the administrative file, he communicated the following:
“In order to guarantee that EQUIFAX can, once it has at its disposal
all the documentation that served as the basis for this Agency for the adoption of the agreement
initiation of the sanctioning file PS / 000240/2019, make the allegations and provide
the documentation that it deems pertinent, the investigator of the file will not proceed to
the opening of the trial phase until at least ten business days have elapsed
computed from the date of notification of this writing, if the notification were
after December 28, 2020. If the notification of this communication were
prior to December 28, the ten business days will be counted from that date, for
be on this date that, ultimately, the courier company has
guaranteed to deliver the shipment containing the CD with the
documentation alluded to. " (The underlining is ours)
The letter dated 12/23/2020 that was notified to the respondent emphasized that, once
that he had in his possession the complete copy of the administrative file, the procedure to
To continue was "to make allegations and provide the documentation that it deems pertinent", to
what was necessary a period of time in which the procedure did not
You will advance to the next phase, the testing phase. Materially what was granted to the
claimed in the aforementioned brief was a deadline to allege, regardless of whether the
expression was formally inappropriate.
The same conviction of respect for the right of the respondent to make allegations, is
reflected in the response to his request that the
opening of the trial phase of the sanctioning procedure. In the writing of the
instructor of response to your request for an extension of the term to allege, dated
01/13/2021, received by the complainant on 01/14/2021, it was indicated:
"Without prejudice to the provisions of article 76.1 of Law 39/2015, of the Procedure
Common Administration of Public Administrations (LPACAP), with the same
purpose of guaranteeing the legitimate right of defense of EQUIFAX that inspired the
writing that was sent to that entity by the investigator of the file on
12/23/2020, you are informed that the evidentiary phase of the
procedure until expired on 01/15/2021. " (The underlining is ours)
It was also recalled - we refer to Antecedent Tenth, section I - that, having
note that GEISER's acknowledgment, regarding the presentation by EQUIFAX in the
electronic headquarters of the AEPD on 01/20/2021 of a document of allegations
complementary to the initiation agreement PS 240/2019, indicated that no
incorporated neither that document nor any other, various steps were taken to
alert the respondent of what happened and prevent the presentation of their
complementary allegations to the commencement agreement, until finally, on the date
01/24/2021, it was recorded in the acknowledgment of presentation of GEISER that the
The claim was attached to the aforementioned brief of allegations.
The legal effect that the respondent attributed then (in its allegations to the agreement
of beginning) and continues to attribute to the facts presented, is the absolute nullity of the
administrative procedure, under article 47.1. LPACAP, precept that
has:
"The acts of the Public Administrations are null and void in the cases
following: [...]
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 120
120/184
a) Those that infringe rights and freedoms subject to constitutional protection
[...]
e) The dictates totally and absolutely disregarding the legal procedure
established or the norms that contain the essential rules for the formation of
the will of the collegiate bodies. "
As stated in the proposal brief, taking into consideration the formalities
followed in the procedure, procedures described in the Background and, in particular,
For what is of interest here, in the Fifth to Tenth Background, it is necessary to reject
the thesis of the respondent that there had been a " total " and " absolute " omission
of the procedural rules.
If there was a delay by the AEPD in delivering the copy of the file that, in
words of the defendant, assumed that the period for allegations would be reduced to six
business days, it was due to the volume of the file that prevented a notification
electronics; but this circumstance cannot make us forget that the entity left
one business day has elapsed since the initiation agreement was notified, on 07/30/2020, and
until he requested the Agency, on 08/03/2020, to send a copy of the file.
Nor can it be forgotten that both with respect to his initial allegations,
08/19/2020, as with the complementary allegations, the Agency has always agreed
the extension of term requested. On the other hand, although the entity argues that, as
As a consequence of the reduction in available time, it has been ostensibly limited
their ability to make “ complete and informed” allegations against the
agreement to initiate the sanctioning file, nothing prevented him from having completed his
allegations in what it deems appropriate after the expiration of such term, according to
to the provisions of article 76 of the LPCAP, which it did not do.
It was added that EQUIFAX could have formulated in the second brief of allegations
to the commencement agreement, dated 01/24/2021, those " complete and informed " allegations
of which, she says, she was forced to do without due to lack of time, especially when she
herself had recognized that there were no substantial differences between
claims that made up the copy of the file initially sent and the 42
Omitted claims whose documentation could be accessed on 12/24/2020 -if
We abide by what is indicated in the acknowledgment of receipt from the MRV company that works in the
file- or on 12/28/2020 -according to one of the entity's versions- or in
date 12/26/2020 -according to another of its versions-.
As indicated then, it was enough to go to the supplementary allegations brief
of EQUIFAX to verify that in it the entity was limited to ratifying its
allegations to the initiation agreement presented on 08/19/2020; to do an analysis of the
42 claims omitted based on the same categories that he had differentiated in
his first brief of allegations and, mainly, to argue his claim that
The nullity of the procedure will be declared for being flawed of absolute nullity.
Ultimately, the claim of the defendant that there had been
produced a total and absolute omission of the legally established procedure -which
is the presupposition of the rule of article 47.1.e) LPACAP whose application invokes
consequently, the procedure was flawed with radical nullity.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 121
121/184
This Agency responded with a mention of the SAN, Contentious Chamber
Administrative, Section 1, of 03/08/2019 (resource 20/2018), FJ Fourth, which reflects the
position that the Supreme Court maintains on the matter:
"[...] When a procedural step has been omitted, but it has not been totally dispensed with and
absolutely of the legally foreseen procedure, we find the
possibility that the act may be voidable in accordance with art. 48.2 of the Law
39/2015, of October 1, although in this case only the declaration of
voidability if the act lacks the formal requirements essential to achieve
its end or if it has produced helplessness to the interested parties, as already noted.
However, there is no defenselessness for these purposes, as stated in the
Judgment of the Supreme Court of October 11, 2012 - appeal no. 408/2010 -, "yes
the interested party has been able to allege and prove in the file how much he has considered
timely in defense of their rights and position assumed, as well as appeal in
replacement, doctrine that is based on article 24.1 CE, if it was done within the file
the allegations it deemed appropriate "(STS February 27, 1991)," if it exercised, in
purpose, all proceeding resources, both administrative and jurisdictional "
(S.TS. of July 20, 1992). (The underlining is ours)
Therefore, "if the interested party in an administrative or contentious-administrative appeal
you have had the opportunity to defend yourself and assert your views, you can
It should be understood that the omission has been corrected and becomes irrelevant for the
real interests of the appellant and for the objectivity of the control of the Administration,
reconciling the constitutional prohibition of defenselessness with the advantages of
principle of procedural economy that complements the first without opposing it at all
to the same and that excludes useless procedural actions for the purposes of the procedure "
(SS.TS. of July 6, 1988 and June 17, 1991).
In addition, the judgment of the High Court of October 11, 2012 also declares that
"If despite the procedural omission, the trial Court has the
sufficient evidence to form a conviction that serves to decide
correctly the contest, must go on to analyze and judge the merits of the matter "; and
This is so "because the theory of the nullity of administrative acts has to be applied
with parsimony, being necessary always to weigh the effect produced by the cause
determinant of disability and the consequences that would have followed from the correct
governing procedure of the actions that are declared void "(S.TS. of July 20
of 1992), since "it is evident that if the guarantee of the administered
Indeed, it is not necessary to decree nullities if they only serve to
delay the resolution of the substantive issue "(SS.TS. of June 14, 1985,
July and November 16, 1987 and July 22, 1988).
In summary, the Supreme Court concludes that "the vice of form or procedure does not
is invalidating in itself, but insofar as the assumptions that the act
lacks the essential requirements to achieve its purpose or gives rise to the
defenselessness of the interested parties [...] ”.
Regarding the claim to declare the nullity of the procedure to the
protection of article 47.1.a) LPACAP, for violation of the right of the right to
defense and the procedural guarantees that the jurisprudence frames in the article
24.2 of the Constitution, based on the factual clarifications that have been made
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 122
122/184
to what is invoked by EQUIFAX, we must adhere to the criteria set by the
jurisprudence when interpreting the scope of the aforementioned LPACAP provision.
The jurisprudential doctrine on the matter requires that, in any case,
produced an effective and real injury to the right whose violation is invoked.
Although the defendant affirms that she has suffered a real and effective impairment of her right
defense, the truth is that this injury is not proven every time it has been
exercise your right of defense by formulating your pleadings within the
terms granted for this purpose. We refer on the matter to STC 78/1999, of 26
April, in which Legal Basis 2, states:
“Thus, according to reiterated constitutional doctrine that is synthesized in the foundation
legal 3 of the STC 62/1998, "the estimation of an appeal for protection by the
existence of infractions of the procedural norms' does not simply result from the
appreciation of the possible violation of the right due to the existence of a defect
procedural more or less serious, but it is necessary to prove the effective concurrence
of a state of material or real defenselessness' (STC 126/1991, legal basis 5;
STC 290/1993, legal basis 4). So that helplessness can be estimated
with constitutional relevance, which places the interested party outside of any possibility of
allege and defend your rights in the process, a violation is not enough
merely formal, it being necessary that a formal offense derive an effect
defenseless material, an effective and real impairment of the right of defense (STC
149/1998, legal basis 3), with the consequent real and effective damage to the
affected stakeholders (SSTC 155/1988, 4th legal basis, and 112/1989,
2nd legal basis) ". (The underlining is ours)
Finally, it remains to respond to the two behaviors outlined by the claimed in the
points 6 and 7 as determinants of the nullity of the procedure.
The first one, the extension of the object of the sanctioning procedure in the
motion for a resolution - every time three new
infractions, of articles 5.1. b), 5.1.c) and 14 of the RGPD, which were added to the two
provided for in the opening agreement, article 6.1., in relation to 5.1.a, RGPD and the
5.1.d) RGPD- which will be the subject of an independent analysis in the following section.
Regarding the behavior described in point 7, the following is indicated. The claimed has
stated that, in accordance with the changes introduced with the motion for a resolution,
requested, under article 32.1 LPACAP, the extension of the period of allegations
for the maximum legally allowed (five days), but the Agency limited such broad-
within a single day, in view of the obvious risk of expiration of the procedure.
ment, so that “ In this way, it seems to deny my client a right that
law grants it as a consequence of the delay in the processing of the single procedure
attributable to the actions of that AEPD, which in no case should result in
to the detriment of the Administrator. " (The underlining is ours).
Article 32 LPACAP provides that “ 1. The Administration, unless otherwise provided,
may grant ex officio or at the request of the interested parties, an extension of the deadlines
established, which does not exceed half of them, if the circumstances
advise and with this third party rights are not impaired. The extension agreement
it must be notified to the interested parties. " (The underlining is ours).
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 123
123/184
This Agency estimates that, while Article 32 LPACAP specifies the power of attorney
vo that the Administration has to agree on the extension of the procedural deadlines, the
not having granted EQUIFAX the requested extension of the term, taking into account that
their request was responded to, denying it, before the end of the period to formulate allegations
awards granted initially, may not entail an infringement of the right to defend
sa of the claimed or an infringement of the rules of administrative procedure,
even less can it imply that this decision would have completely dispensed with
and absolute (article 47.1.e) of the rules that regulate the procedure.
d. The fourth reason that in the opinion of the claimed defect of radical nullity the
sanctioning procedure is the defenselessness that has been generated by being deprived of the
“Right to know the specific accusations directed against her and her
defense rights and provision of evidence pertinent to their right,
enshrined in article 24.2 of the Constitution as a manifestation of the right to
effective judicial protection. "
Void of nullity that would be a consequence of the motion for a resolution expanding the
object of the procedure and in it the defendant was imputed, in addition to the two
fractions of the RGPD established in the initiation agreement (articles 6.1 and 5.1.d) three new
infractions, of articles 5.1. b), 5.1.c) and 14 of the RGPD.
In his opinion, such conduct is not covered by the regulations governing the procedure.
administrative procedure in general or, in particular, in that of the procedure in matters
of data protection.
Considers that, in light of articles 89.3 and 90.2 LPACAP, it is concluded that it is exclusive
sively the initiation agreement, which establishes the limits on which it may be
carried out the final qualification in the resolution proposal. That the proposed re
The solution cannot make new imputations, but only modify the initial qualification
cial made in the initiation agreement, making an imputation or imposing a sanction
more serious than that established in the opening agreement. And that the additional charges
they would require the processing of a new procedure.
In the matter at hand, the facts prosecuted were classified in the agreement of
initiation of the sanctioning proceedings as constituting both infractions of the
Articles 6.1, in relation to 5.1.a) of the RGPD and 5.1.d) RGPD, infractions
both typified in article 83.5 RGPD and qualified by the LOPDGDD, for the purposes
of prescription, of very serious infractions.
At the resolution proposal phase, it was considered necessary to broaden the purpose of the
procedure on the basis of the facts that had been detailed in the agreement of
opening and impute to EQUIFAX, in addition to the infractions of the Regulation established in
said agreement, each infringement of articles 5.1.b) RGPD, 5.1.c) RGPD and 14
RGPD, all typified in article 83.5 of the Regulation and qualified by the
LOPDGDD, for prescription purposes, of very serious offenses.
Regarding whether or not it is appropriate to extend the legal qualification in the proposal phase
of the facts set forth in the Initiation agreement and the incidence that such a change may
have in the right of defense of the denounced entity, it should be noted that nothing
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 124
124/184
prevents this modification as long as, as is now the case, it remains
The facts on which the allegation made is based can invariable.
The first of the rights that article 53.2 of the LPACAP recognizes in favor of the
responsible subject in the sanctioning procedure is the one who is notified of the facts
that are imputed to him; the infractions that such facts may constitute and the sanctions
that, if applicable, could be imposed on them.
The Constitutional Court has been stating that “ the essential content of the right
to be informed of the accusation refers to the facts considered
punishable by the accused ” (STC 95/1995). Unlike what happens
With the facts, the Constitutional Court (TC) in Sentence 145/1993 warns that the
communication to the alleged offender of the legal qualification and the eventual sanction to
imposing does not integrate the essential content of the right to be informed of the accusation.
To such an extent it is important to make known the facts constituting the
administrative offense, which the TC has declared that the requirements of article
24.2 of the EC are basically satisfied with the mere communication of the facts
accused to be able to defend themselves against them (STC 2/1987 and 190/1987). In this
line the Supreme Court, Judgment of March 3, 2004, indicates that “ the purpose
The primary part of the initiation agreement is to report on the alleged facts and not on the
legal qualification, which will be in charge of the resolution proposal ”. (The underline
is from the AEPD).
The respondent considers it legally inadmissible that in the proposed resolution
the object of the procedure could be broadened and affirms that this possibility is
proscribed in the LPACAP and not even allowed during the term of REPEPOS
that only allowed to change the qualification in the resolution proposal process
legal of the facts.
For these purposes we have to bring up the SAN of 03/12/2016 (resource 312/2014).
The second Law Foundation begins by reflecting the questions raised
by the plaintiff that affect the sanctioning procedure, among which alleges “ the
infringement of the principles that inform the sanctioning law and, specifically, of the
principle of "reformatio in peius", alluding to the fact that although the procedure was
on the occasion of an infringement of art. 5.1 of the LOPD, classified as mild, and another of the
art. 6 of said norm, considered serious, the proposed resolution altered the
legal qualification, appreciating two infractions of art. 6 of the LOPD, qualified
as serious, and an infringement of art. 5.4 of the indicated standard, also qualified
as serious. [...] "
The SAN responds to the question raised by the plaintiff in the following terms:
“As a result of what was raised by the plaintiff, it is convenient to reflect the cons-
constitutional law and jurisprudence on the scope of the right of those sanctioned to be
formed from the accusation during the processing of the administrative sanction procedure.
the sanctioning body and the limits to be respected by the sanctioning body in the exercise of its
sanctioning power to safeguard the right of defense of the former.
The inspiring principles of the criminal order are applicable, with certain nuances, to the
Administrative sanctioning law, since both are manifestations of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 125
125/184
punitive order of the State, as reflected in the Constitution, a repeated
jurisprudence of our Supreme Court and the doctrine of the Constitutional Court
(In this sense, Judgments of the Supreme Court of April 28, 2014 -recourse no.
364/2013 -, and of April 9, 2014 - appeal no. 212/2013 -, among others)
[... For its part, the Supreme Court has also established that some of the guarantees
applicable to the administrative sanctioning procedure derived from the right to
defense recognized in art. 24 of the Constitution is to be informed of the
accusation to be able to defend itself adequately, as established in the Judgment
of the Supreme Court of November 3, 2003 - appeal no. 4,896 / 2000 -, whose
doctrine is reiterated in the Judgments of said Court of May 21, 2014
-resource n. 492/2013 -, and of October 30, 2013 - appeal no. 2,184 / 2012-, in the
following terms: "Well, from the doctrine of the Constitutional Court and the
The jurisprudence of this Chamber should highlight the following principles:
a) [...] In relation to this transfer operation of the guarantees of art. 24 CE to
administrative sanctioning procedure [...], has been progressively elaborated
in numerous resolutions a consolidated constitutional doctrine, which cites
as applicable, without the intention of being exhaustive, the right of defense, which proscribes
any helplessness; the right to be informed of the accusation, with the inescapable
consequence of the inalterability of the imputed facts; the right to
presumption of innocence, [...]
b) Among the guarantees applicable to the administrative sanctioning procedure are:
he finds, of course, that of being informed of the accusation in order to be able to defend himself
adequately; and such information includes the attributed facts, the qualification
legal status of the same and the sanction that is proposed. Now the strict correlation
between accusation and decision refers to the facts and not so much to the legal qualification,
inasmuch as the facts being charged remain unaltered, the proposal of
resolution and, ultimately, the sanctioning decision may use another title of
sentence with two limits: the impossibility of including it in said resolution of the
procedure a legal qualification of greater gravity than that reflected in the
communication of charges addressed to whoever is subjected to the sanctioning file, and
the impossibility of assessing in the resolution a legal qualification different from the
communicated if there is heterogeneity in the protected legal assets or if the
definitely considered infraction incorporates some element of the type that does not
corresponds to the one that was notified and about which the sanctioned person has not had, in
consequence, defense opportunity. And there is no variation of the facts between the
statement of charges, the proposed resolution and the sanctioning decision when,
Although the terms used are not exactly the same, they are similar and what
There is a different technical-legal assessment of them (Cf. SSTC 98/1989 and
145/1993). " (The underlining is from the AEPD)
This same criterion has been maintained by the AN after the entry into force of the LPACAP.
This is confirmed by the SAN of 02/07/2020 (resource 915/2018) in which the resolution of the
The contested AEPD had been issued during the validity of that regulation of
process.
Finally, in line with what was stated by the defendant who states that the expansion
of the object of the procedure at the proposal stage has impaired their right to
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 126
126/184
defense, having been deprived of the possibility of providing the evidence that
considered appropriate for the legitimate exercise of their right, it should be remembered that the
Article 82 LPACAP, which regulates the hearing procedure, provides in section 2:
"The interested parties, within a period of no less than ten days or more than fifteen, may
allege and present the documents and justifications that they deem pertinent. "
Therefore, in view of what has been stated in sections a) to d)
precedents, in which the reasons that in the opinion of the claimed
would determine the radical nullity of the present procedure by concurring the
circumstances of article 47.1.a) and e) LPACAP, we consider that such a claim must be
be rejected.
IV
Of the presumed recognition by the AEPD of the legality of the FIJ during the validity of the
legal regime prior to the RGPD and the legal effects that in the opinion of the
claimed stem from him.
1. Reference to the legal regime prior to the RGPD.
Organic Law 15/1999, of December 13, on the protection of personal data
(LOPD), which transposed Directive 95/46 / CE, of the
European Parliament and of the Council, of 10/24/1995, established in article 6:
" 1. The processing of personal data will require consent
unequivocal of the affected, unless the law provides otherwise.
2. Consent will not be required when personal data is collected
for the exercise of the functions of public administrations in the field
of its powers; [...] or when the data appear in sources accessible to the public and
its treatment is necessary for the satisfaction of the legitimate interest pursued by the
responsible for the file or that of the third party to whom the data is communicated, always
that the fundamental rights and freedoms of the interested party are not violated. "
In turn, article 3 of the LOPD defined the sources of public access as follows:
" J) Sources accessible to the public: those files whose consultation can be made,
by any person, not impeded by a limiting norm or without further requirement than,
where appropriate, the payment of a consideration. "
The judgment of the Court of Justice of the European Union of 11/24/2011 (cases
C-468/10 and C-469/10), which resolved the question referred by the
Supreme Court and whose pronouncement was collected in the STS of 02/08/2012
(appeal 25/2008) states (paragraph 36) that Member States cannot
introduce, pursuant to the provisions of Article 5 of Directive 95/46, principles
relating to the legitimacy of the processing of personal data other than those
set forth in Article 7 of that Directive or modify, by means of requirements
additional, the scope of the six principles established in said article 7.
It added in paragraphs 38 and 39 that Article 7, letter f), establishes two requirements
accumulative so that a processing of personal data is lawful, that is, by a
party, that such processing of personal data is necessary for the satisfaction of the
legitimate interest pursued by the person responsible for the treatment or by the third party or
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 127
127/184
third parties to whom the data is communicated, and, secondly, that the
fundamental rights and freedoms of the interested party. And he concluded that it follows
that, with regard to the processing of personal data, article 7, letter f), of the
Directive 95/46 opposes any national regulation that, in the event that there is no
consent of the interested party, impose additional requirements that are added to the
two cumulative requirements mentioned in the previous section.
Given the incorrect transposition that was made in the national law of said precept, the
CJEU (paragraphs 51 and 55) recognizes the direct effect of Article 7.f) of the Directive
95/46 with the consequence that from then on she had to be understood as displaced (that
not annulled) the rule of article 6.2 LOPD in favor of the aforementioned precept.
Until the publication of the judgments of the CJEU and the Supreme Court, the AEPD and the Courts of
justice applied article 6.2. LOPD in connection with article 3.j) and concluded
without further ado than the processing of data obtained from these access sources
the public was considered lawful.
As a result of the judgments of the CJEU and the Supreme Court, the circumstance that the data
personal data would have been obtained from a publicly accessible source defined in the
Article 3. j) LOPD could no longer, by that mere fact , constitute the legal basis
of a processing of personal data.
The relevance that from then on could be attributed to the circumstance that the
data object of treatment came from sources of such a nature is the aforementioned
in paragraph 44 of the STJUE which indicates that with regard to the weighting
required by Article 7, f) of Directive 95/46 “it is necessary to take into consideration the
fact that the seriousness of the violation of the fundamental rights of the person
affected by said treatment may vary depending on whether the data already appears, or
no, in sources accessible to the public. "
After the STJE the National High Court, in a judgment of 05/31/2012,
upheld the contentious appeal filed against the resolution issued by the AEPD that
sanctioned for violation of article 6.1 LOPD, as a consequence of the treatment
of the data of those affected without their consent to whom you sent emails
electronic advertising their candidacy in the elections of a professional Association.
The sanctioning resolution had rejected the legitimate interest invoked by the
sanctioned as the basis of the treatment on the premise that the data
Treaties did not come from publicly accessible sources. The judgment of the Hearing
National says:
“[...] It is possible, in short, and in accordance with said Community Jurisprudence, that
there are personal data processing that does not appear in one of those that our
internal legislation called "public access sources" (article 3.f) LOPD and article
7 RLOPD) but that, however, do not require the consent of the holders of
such data because its treatment is necessary to satisfy a legitimate interest of the
responsable
of the same, or of the assignee, provided that the rights and freedoms of the
interested [...] "And he adds:" [...] Weighting of interests in conflict [...] will depend on
the specific circumstances of each case and in which, however, it can be taken
under consideration, in order to determine the possible infringement of the rights
data of the affected party, the fact that the data already appears, or not, in sources
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 128
128/184
accessible to the public. More this, simply, as one more element of weighting. "
(The underlining is ours)
In the regulatory framework of the RGPD, the position of the AEPD regarding calls
public access sources is reflected in Report 136/2018, which recalls:
“[...] already in the 10th annual session it was stated that with the RGPD it is not possible to speak of a
legal concept of source of public access as the existing one with the previous LOPD. The
Article 14.1 f) of the RGPD only mentions this concept to establish the
obligation of the data controller to provide the interested party with information on whether
their personal data come from publicly accessible sources, but without defining these ”.
In the same sense, the Report of 10/03/2019, (Entry record 045824/2019)
noted that “[...] as of the entry into force of the RGPD, it is not possible to speak of a
legal concept of "sources accessible to the public" such as the one that existed in the previous Law
Organic 15/1993 [...] The RGPD only talks about public access sources when regulating the
right to information if the data has not been collected from the interested party ”.
2. In the brief of allegations to the proposed resolution, through your allegation
fourth - "On the assessments made by the AEPD on the basis of law
IV of the motion for a resolution ”- the defendant argues, as it did in its
allegations to the initiation agreement, that the AEPD has violated the principle of trust
legitimate and therefore does not concur in the performance of EQUIFAX the subjective element
of the offense, in such a way that no sanction could be imposed by virtue of the
principle of guilt recognized in article 28 of Law 40/2015, of 1
October, of the Legal Regime of the Public Sector (LRJSP)
The first allegation of the brief of allegations to the proposal ratifies in its entirety
the allegations that the defendant made against the agreement to open the
process.
As reflected in the proposed resolution, the respondent alleged that, in the present
In this case, all the elements required to assess that the Agency had
violated the principle of legitimate confidence and mentioned for this purpose the STS of 02/22/2016
(resource 1354/2014) according to which the failure of this principle would require the
concurrence of these elements:
(i) that is based on undeniable and external signs; (ii) that the expectations generated in
the administered must be legitimate; (iii) that the final conduct of the Administration
is contradictory to the previous acts, is surprising and incoherent.
In EQUIFAX's opinion, this breach of the legitimate confidence of the AEPD would oblige the
filing of the procedure due to the absence of the guilty element of the offense.
He invoked in this sense, in defense of his thesis that the AEPD had broken the
principle of legitimate confidence, the SAN of 02/04/2009 (appeal 304/2007) which declares
that the breach of this principle should lead to the nullity of the sanctioning resolution
object of the appeal.
The judgment indicates that it is true that the reasons for the resolutions
administrative procedures required by article 54 of Law 30/1992 must allow the
change of criteria in decision-making “ but this change of criteria cannot
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 129
129/184
have retroactive effects, especially in cases in which there had been
previous exculpatory pronouncements in the face of identical behaviors . " This SAN appointment, to his
time, another from the same Court on 06/13/2008 (appeal 55/2005) in which it indicates that “In
sanctioning matter, the new criteria, no matter how reasonable they may be, [...]
have to unfold their effects into the future, but never be projected into
past actions that will accommodate existing criteria ”.
In turn, in the allegations that EQUIFAX made to the opening agreement, among others
many considerations, specifically stated that the existing legal framework before
of the effective application of the RGPD and after the STJUE of 11/24/2011, no
had been altered if not reiterated, both in relation to the principle of legality and the
principle of accuracy (remember that the opening agreement attributed to the
the infringement of both principles). Thus, on page 18 of the brief of allegations to the
opening agreement says the following:
“ This also leads to the conclusion that the alleged treatment carried out
carried out by my client [...] was not only not contrary, but expressly
covered by the regulatory framework in force prior to the entry into force of the RGPD,
It is also necessary to add that said framework has not been altered, but rather by the
reiterated contrary with said entry into force, both in what affects the principle of
legality (which was also included in article 6.1.a) of the Directive as well as in what
concerns the principle of accuracy [...] ” (Emphasis is ours)
On page 22 of the allegations to the opening agreement, the respondent stressed that
the tenor of the rules allegedly violated had not been modified. It says in that
sense:
“ Everything that has been indicated there is no doubt that it implies the existence of a
manifest change of legal criterion on the part of that AEPD, which now considers
radically illicit the treatment that had been understood to be lawful (without having
modified the tenor of the rules allegedly violated [...] "
At the same time, the respondent set out in her allegations the opening agreement (which
remember, it has expressly reiterated in its allegations to the proposal) that the
agreement to initiate PS / 240/2019 represented a change in legal criteria, from
way that the Agency violated the principle of legitimate expectations and security
legal, principles that should govern the actions of Public Administrations
in accordance with article 3.1.e, of Law 40/2015, of October 1, on the Legal Regime of the
Public Sector, (LRJSP).
If indeed the AEPD had violated the principles of legitimate expectations and
legal certainty - which evidently has not happened - the consequence could be
the file of the file due to the absence of the guilty element of the offense.
Now, in order to show a violation of the principle of legitimate confidence, the
change of legal criterion must be arbitrary and, therefore, cannot be motivated by
a normative change.
At this point, it should be noted that, in the assumption we are analyzing, that
normative change exists , so that in no case is it possible to conclude, as
the complainant claims that the AEPD has arbitrarily modified its criteria
thereby violating the principle of legitimate expectations. Regulatory change is
specified in the repeal by the LOPDGDD of article 29.1 of the LOPD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 130
130/184
EQUIFAX, repeatedly suggests that, to the extent that the standards that
regulate the principles of legality and accuracy in the RGPD and in Directive 95/46 they have not
varied in essence, there is no other normative change that justifies the criterion
followed in the present procedure before her.
The truth is, however, that EQUIFAX uses in its various writings of
allegations, as a legal basis for the data processing carried out by the FIJ,
an " express legal provision" that, says that entity, recognized the legality of systems
like the FIJ: article 29.1 LOPD.
The controversy therefore arises around the legal framework in force before the
effective application of the RGPD and after the STJUE so many times cited and if said
legal framework considered or not in accordance with the regulations governing the right to
protection of personal data the treatment that the FIJ carried out.
In the brief of allegations to the commencement agreement, the respondent tried to corroborate her
particular conception of the scope of article 29.1 LOPD with what is indicated in the agreement
opening of the procedure. Thus, the motion for a resolution stated the following:
" The third allegation of the brief of allegations to the agreement to open the
The procedure is dedicated to the “[...] pre-existing regulations to the RGPD and the
performance of the AEPD in relation to the File of Judicial Incidents ”.
Allegations that the respondent expressly reiterated in her second brief of
allegations to the opening agreement or complementary allegations.
The entity stated in that third allegation of its brief that “[..] as
recognizes the Agreement itself, the material norms whose violation is attributed to my
constituent have not changed in terms of their content as a result of the reform
operated by the GDPR. "
“[..] based on the similarity, if not identity, between the regulations previously
in force and the collection in the text of the RGPD, it is necessary to take into account that the
systems such as the FIJ were expressly recognized in article 29.1 of the "
LOPD. And that, in light of the jurisprudence emanating from the CJEU, the conclusion is reached
of “ that the data processing carried out by the FIJ was based on the
provided for in Article 7 f) of the Directive [...] ”. (The underlining is ours)
He added “[...] that the alleged treatment carried out by my client [...] not only
It was not contrary, but expressly protected in the current regulatory framework
prior to the entry into force of the RGPD [...] ” And that said framework has not been seen
altered, but on the contrary reiterated with said entry into force, both in what
it affects the principle of legality as well as the principle of accuracy. (The
underlined is ours)
These considerations of EQUIFAX forced to warn in the proposal of
resolution that "the opening agreement referred, solely and exclusively, to the similarity
that exists between article 6.1.f) of the RGPD and article 7.f) of Directive 95/46. The
manifestations of the claimed may imply that the reference to the article
7.f) of Directive 95/46 that was made in the initiation agreement is the same as the reference
that she does to the regime provided for in the previous regulations, in which it is included,
among other provisions, article 29.1 of the LOPD. Question that would lack all
importance if it were not because after establishing such equivalence the claimed
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 131
131/184
goes on to affirm that the FIJ was recognized in article 29.1 of the LOPD and from there to
affirm that the "data processing" carried out through the FIJ in the legal regime
prior to the GDPR, it was lawful. "
Well, in the brief of allegations to the proposed resolution, the claimed -in
its fourth claim, which has the heading “On the assessments made by the
AEPD on the basis of law IV of the motion for a resolution ”- continues
affirming that, until the full application of the GDPR, and even later, until
the entry into force of the LOPDGDD “there was an express legal provision that recognized
the legality of information systems that collect information obtained with the
consent of the interested party or sources accessible to the public in order to
evaluate the solvency of the interested parties ”. (The underlining is ours)
The defendant expresses the thesis that it defends with greater clarity not in this allegation
fourth of the brief of allegations to the proposal but in the sixth allegation related to the
principle of legality.
Notwithstanding that we return to the issue when analyzing the infringement
of article 6.1 RGPD, we anticipate that the respondent affirms, after saying that
has an “ evident legal basis, the concurrence of a legitimate interest
prevalent, for the treatment of the data in the FIJ. " He adds that “Obviously, the
Article 29.1 of the LOPD did not regulate the basic principles or legal bases of the
treatment, but determined that, on the basis of principles and legal bases
identical to those contained in the RGPD, the treatment of the data collected in the
itself was lawful. That is, either article 29.1 of the LOPD exceeded the
of the regime contained in the Directive, enabling nothing less than a treatment that
violated its articles 6 and 7 in the terms assumed by the Proposal for Resolution,
something that no Court or the Institutions of the European Union (and even less the
own AEPD) even hinted at any time or, remaining unchanged the
principles and legal bases, this treatment is as consistent with the RGPD as it was with
Directive. This fact is undoubted, no matter how much it tries to force the
argumentation in another sense. " (The underlining is ours
Given the continuous references of EQUIFAX in its allegations to the initiation agreement
that intended to protect the treatment carried out by the FIJ in article 29.1 LOPD,
in the proposed resolution it was noted that the aforementioned file would have a place in the
category or file system provided for in that precept as long as it respects
the principles that governed the data protection regulations provided for in article 4
of the LOPD, data quality , and, in particular, the principle of limitation of the
purpose of the treatment. And that, being the FIJ a credit information system that
does not obtain the data from the information provided by the interested party, nor does he provide his
consent to the treatment, but obtains the data from " records and sources
accessible to the public ”, the legal basis for this treatment could only be the
provided for in article 7.f) of the Directive.
It should be remembered, for this purpose, that article 37.1 of the RLOPD established that “The
processing of personal data on financial solvency and credit,
provided for in section 1 of article 29 of Organic Law 15/1999, of 13
December, will be subject to the provisions, in general, in said organic law and
in these regulations. "
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 132
132/184
The change in the legal criteria of the AEPD, which in EQUIFAX's opinion represents the
procedure followed in front of it is not elicited -as he wants to imply the
claimed- regarding the legal bases of the data processing or the principles
governing the latter provided for, respectively, in the Directive and the RGPD.
On the contrary, the change in the criterion attributed to the AEPD and that, supposedly,
reflected in the procedure that concerns us revolves around article 29.1 LOPD. More
exactly, the intended change of criterion is nothing but the disparate interpretation of the
norm, of its meaning and scope, that make, respectively, this Agency and
EQUIFAX.
In any case, article 29.1 LOPD is not in force. It was repealed by the
LOPDGDD, which entered into force on 12/07/2018, and neither in the RGPD nor in the LOPDGDD
there is an equivalent rule.
For the aforementioned reasons, the thesis that the AEPD has violated the
principle of legitimate expectations. The proceeding against EQUIFAX is
congruent as has been indicated with the meaning of the STJUE and with the
repeal of article 29.1 LOPD in which that entity intends to protect the
treatment carried out through the FIJ.
V
Of the infringement of the principle of limitation of the purpose
1. The behaviors that are the object of assessment in this sanctioning procedure
are related to the treatment carried out by the claimed through the FIJ of
personal data of those affected who obtained, for the most part, from the BOE, plus
exactly from the Official Board of the BOE (TEU-BOE); of the official newspapers of
the autonomous communities; of the Provincial Bulletins (BOP) and through the
Electronic or physical headquarters of Public Law bodies or entities. So
certify the documents in the file relating to the response to the
access to the FIJ requested by those affected. In light of these documents exist in the
FIJ annotations of alleged debts attributed to the claimants who were given
registered in the file on very different dates, some of them in 2013.
The RGPD dedicates to the principles that govern the processing of data of character
personal article 5. Among them, it refers to the limitation of the purpose in article
5.1.b) according to which personal data will be “ collected for specific purposes,
explicit and legitimate, and will not be further processed in a manner incompatible with
said purposes; in accordance with article 89 (1), the further processing of
personal data for archival purposes in the public interest, research purposes
scientific and historical or statistical purposes shall not be considered incompatible with the purposes
initials ” (The underlining is ours)
Recital 50 of the GDPR helps to clarify the scope of this principle and
He says:
"The processing of personal data for purposes other than those for which they have
initially collected should only be allowed where compatible with the purposes
of your initial collection. In such a case, no separate legal basis is required, other than
the one that allowed the obtaining of personal data. If treatment is necessary
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 133
133/184
for the fulfillment of a mission carried out in the public interest or in the exercise of
public powers conferred on the person responsible for the treatment, the tasks and the purposes
for which the subsequent treatment should be considered compatible and lawful can be
determine and specify in accordance with the law of the Union or of the States
members. Subsequent processing operations for archival purposes in the interest
public, scientific and historical research purposes or statistical purposes should
considered compatible lawful processing operations. The legal basis
established in the law of the Union or the Member States for the treatment
personal data can also serve as a legal basis for further processing.
In order to determine whether the purpose of the further processing is compatible with the purpose of the
initial collection of personal data, the controller, after having
Once all the requirements for the legality of the original treatment have been fulfilled, you must take into
account, among other things, any relationship between these purposes and the purposes of the
planned further processing, the context in which the data were collected, in
particular the reasonable expectations of the interested party based on their relationship with the
responsible for its subsequent use, the nature of the personal data, the
consequences for the interested parties of the planned further processing and the existence of
adequate guarantees both in the original treatment operation and in the
planned further processing operation. If the interested party gave their consent or the
treatment is based on the law of the Union or of the Member States that
constitutes a necessary and proportionate measure in a democratic society to
safeguard, in particular, important objectives of general public interest, the
responsible must be empowered to further process personal data,
regardless of the compatibility of the purposes. In any case, it must be guaranteed
the application of the principles established by this Regulation and, in particular,
the information of the interested party about those other purposes and about their rights, including the
right of opposition. The indication of possible criminal acts or threats to the
public safety by the person responsible for the treatment and transmission to the
competent authority of the data regarding individual cases or diverse cases
related to the same criminal act or threat to public safety must
be considered to be in the legitimate interest of the person responsible. Still, it should be forbidden
that transmission in the legitimate interest of the controller or the subsequent processing of data
personal if the treatment is not compatible with an obligation of legal secrecy,
professional or binding for another reason. "
The principle of limitation of the purpose prevents that a treatment can be carried out
subsequent personal data if the purposes of this treatment and those pursued by the
original treatment are not supported. Article 6 RGPD, relative to the “ Legality of the
treatment ”, dedicates its section 4 to list the elements that allow determining
if a treatment for another purpose is compatible with the initial purpose for which they were collected
the data:
"When the treatment for a purpose other than that for which the
personal data is not based on the consent of the interested party or on the Law
of the Union or of the Member States that constitutes a necessary measure and
proportional in a democratic society to safeguard the stated objectives
in article 23, paragraph 1, the data controller, in order to determine
if the treatment for another purpose is compatible with the purpose for which they were collected
initially personal data, will take into account, among other things:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 134
134/184
a) any relationship between the purposes for which the data was collected
personal and the purposes of the planned further processing;
b) the context in which the personal data was collected, in particular for what
Regarding the relationship between the interested parties and the person responsible for the treatment;
c) the nature of the personal data, specifically when categories are processed
special personal data, in accordance with article 9, or personal data
relating to convictions and criminal offenses, in accordance with article 10;
d) the possible consequences for the data subjects of the planned further processing;
e) the existence of adequate guarantees, which may include encryption or
pseudonymization "
2. In order to determine whether the treatment of the data of the claimants who
has carried out EQUIFAX through the FIJ is or is not respectful of the principle provided in
article 5.1.b) RGPD, the starting point must be the origin of the processed data.
As has already been indicated, the data of the claimants were obtained, in their great
majority, from the BOE, more precisely from the Official Board of the BOE (TEU-BOE); from
the official newspapers of the Autonomous Communities; of the Provincial Bulletins
(BOP) and through the electronic or physical headquarters of bodies or entities of Law
Public. The fact that the data of the complainants come from public sources,
basically from official newspapers and gazettes, evidence that these had been subject to
a previous treatment with a specific purpose.
Article 44 of the LPACAP under the heading "Unsuccessful notification" states:
"When those interested in a procedure are unknown, the place is ignored
of the notification or, if it was attempted, it could not have been carried out, the notification
It will be done by means of an announcement published in the "Official State Gazette".
Likewise, previously and on an optional basis, the Administrations may
publish an announcement in the official bulletin of the Autonomous Community or the Province,
on the notice board of the City Council of the last domicile of the interested party or of the
Consulate or Consular Section of the corresponding Embassy.
Public Administrations may establish other forms of notification
complementary through the other means of diffusion, which will not exclude the
Obligation to publish the corresponding announcement in the "Official State Gazette."
Article 45 of the LPACAP, " Publication", provides:
"1. Administrative acts will be published when so established by the
regulatory standards of each procedure or when advisable for reasons of interest
public appreciated by the competent body.
In any case, the administrative acts will be published, the latter supplying the
effects of the notification, in the following cases:
a) When the act is intended for an indeterminate plurality of people or
when the Administration considers that the notification made to a single interested party is
insufficient to guarantee notification to all, being, in the latter case,
additional to the individually performed.
b) In the case of acts that are part of a selective procedure or of
competitive competition of any kind. In this case, the convocation of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 135
135/184
The procedure must indicate the medium where the successive
publications, lacking validity those carried out in different places.
2. The publication of an act must contain the same elements as the article
40.2 requires regarding notifications. It will also be applicable to the publication
established in section 3 of the same article.
In the cases of publication of acts that contain common elements,
The coinciding aspects may be published jointly, specifying
only the individual aspects of each act.
3. The publication of the acts will be carried out in the corresponding official gazette, according to
whichever Administration the act to be notified comes from.
4. Without prejudice to the provisions of article 44, the publication of acts and
communications that, due to legal or regulatory provision, must be carried out on a notice board
of announcements or edicts, it will be understood as fulfilled by its publication in the Official Gazette
correspondent."
These precepts detail the cases in which the Administrations
Public, in compliance with an obligation imposed by the LPACAP, publish in
bulletins and official journals administrative acts and resolutions.
The notification, in the words of the Supreme Court (STS 03/07/1997) “ consists of a
formal communication of the administrative act in question . " The doctrine explains that
is the mechanism through which the interested party is transferred to the content of a
act. On the other hand, the notification of acts and resolutions is mandatory for
Public Administrations and a requirement to which its effectiveness is subject (article 39 of
the LPACAP) Thus, the notification constitutes a guarantee for the company already
that through it he knows the acts of the Administration that affect his rights
and legitimate interests for it is an instrument that guarantees the right to guardianship
effective judicial system (article 24.1 of the EC)
Through the publication the same purpose as the notification is intended, that the
content of the administrative act reaches the knowledge of those who are interested in
an administrative procedure.
The LPACAP refers to publication in both article 44 and article 45.
Article 44 includes the assumptions that Gamero Casado calls " publication
supplementary notice ”. Article 44 LPACAP establishes that the
to the publication in the BOE when the notification had been unsuccessful, or the
persons interested in the procedure are unknown or their whereabouts are unknown.
In addition to the publication through the BOE, article 44 LPACAP empowers the
Administrations so that, previously, they publish announcements in the official bulletin of the
Autonomous Community or Province, on the notice board of the City Council of the
Last address of the interested party or of the Consulate or Consular Section of the Embassy
correspondent.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 136
136/184
Likewise, the publication of acts and resolutions will be attended in the cases of
Article 45 LPACAP. Assumptions that, following the criteria of Gamero Casado ,
we can group as follows:
(i) Substitute publications for the notification (that is, when the acts are published
instead of being notified), which proceeds when the act is addressed to a
indeterminate plurality of persons or in the case of acts that make up a
selective procedure or competitive competition.
(ii) Complementary publication of the notification (in addition to the notification it is
mandatory publication), what happens when reasons of interest advise it
public; in procedures in which there are several interested parties, when
notify only one and fear that it is insufficient to guarantee knowledge of the
act by all of them and when the regulatory norms of a specific procedure
so establish it.
With the exception of the " substitute publications for the notification" provided for in the
Article 44 LPACAP, in which, as indicated, it is mandatory to publish in
the BOE, in the rest of the cases the publication is made in the official gazette
corresponding to the Public Administration from which it comes. The LPACAP, article
45.4 encourages that by means of specific legal or regulatory provisions,
impose the publication of acts and communications on bulletin boards or
edicts, although it adds that this obligation will be understood to have been fulfilled with the publication
in the corresponding official gazette.
In terms similar to article 44 of the LPACAP, article 112 of the
Law 58/2003, of December 17, General Tax, which provides for the summons, to be
notified by appearance, through announcements published in the BOE. Also
Article 29.2 of the Consolidated Text of the Real Estate Cadastre Law, approved by the
Royal Legislative Decree 1/2004, of March 5, provides for the notification
with obligatory character by means of announcement in the BOE. The Consolidated Text of the Law
General Social Security, approved by Royal Legislative Decree 8/2015, of
October 30, provides in article 132.4 that notifications that have not been able to
be done at the electronic headquarters of the Social Security or at the address of the
interested, will be practiced exclusively by means of an advertisement published in the
Official State Gazette in accordance with the third additional provision of the Law
39/2015.
3. The publication that the Public Administrations make of acts or resolutions
administrative that include personal data, implies for the administered a
restriction to the fundamental right recognized in article 18.4 of the EC
Through the publication of an administrative act or resolution - to which, as has been
indicated, article 39 of the LPACAP is subject to its effectiveness - it is intended to guarantee
interested parties the exercise of their right of defense -which in turn connects with the
right to effective judicial protection recognized in article 24.1 of the EC- and allows
to the Public Administrations the exercise of their powers. In such a way that the
purpose pursued with this obvious limitation to the right to data protection
it is directly connected with a public interest.
The publication of the personal data of those affected in these cases is, therefore,
oblivious to his will. It is established by a norm with the force of law and is justified by the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 137
137/184
pursuing public interest. Well, it is precisely these personal data,
that have been the subject of publication in official gazettes and newspapers without the assistance of the
will of its owners in compliance with a legal obligation and with the purpose of
satisfy a public interest, the data from which the FIJ draws. Evidently
when its content is related to situations of non-compliance with
monetary obligations.
The subsequent treatment of these data that EQUIFAX carries out pursues a purpose
clearly different from the public interest that justified its publication. If we do not follow the
legitimate interests that EQUIFAX seeks to satisfy through the FIJ, it is evident
that they are for different purposes. While the treatment of the data of the
administered by Public Administrations through the publication of acts
administrative in the official newspapers and gazettes seeks to satisfy a public interest,
the subsequent treatment that EQUIFAX makes of these data through the FIJ -according to
declared the claimed in the brief of allegations to the initiation agreement- is
linked to the assessment of the solvency of those affected and the prevention of fraud.
Article 6.4 RGPD provides some criteria to determine whether further processing
of the data of the claimants through the FIJ is compatible with the treatment
original. To these are added the indications offered in Recital 50 of the
GDPR.
In the present case, in light of the guidelines that both offer, it can be stated that
the purpose of the original treatment and that of the subsequent treatment by EQUIFAX are
clearly incompatible: There is no relationship between the purpose of the treatment
made through publications in official gazettes and gazettes that include
personal data of those affected - the public interest connected with the right to
effective judicial protection of the administered and the effective exercise by the
Public Administrations of the powers attributed to them- and the purpose for which
EQUIFAX processes the data, which it has specified in the assessment of solvency and in
fraud prevention.
Neither does there exist between the claimants and the person responsible for the treatment
relationship linked to the context in which the data were collected, so that the
affected have not been able to have any reasonable expectation that their data would be
object of this treatment. The consequences that derive for the claimants whose
The data that have been included in the FIJ are clearly adverse, since we are facing a
negative file of patrimonial solvency that identifies them as debtors before
anyone who makes a query to that file, with the added aggravation that the
FIJ clearly breaches the principle of accuracy in its update statement
of the data. And, obviously, EQUIFAX has not established additional guarantees for
that the treatment does not affect the fundamental right to data protection since
that the purpose that the FIJ seeks to satisfy requires having the identity data of
the affected.
The principle of proactive responsibility of article 5.2 of the GDPR obliges the person responsible
of the treatment to be in a position to prove that it complies with the principles that
preside over the data processing; so the principle of limitation is of interest here
of the purpose. On the other hand, both article 6.4 RGPD and Recital 50 are
refer to the person responsible for the treatment as the subject who must determine if the
purpose of the further processing that you intend to carry out is compatible with the purpose
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 138
138/184
for which the data were initially collected, which is consistent with the principle
of proactive responsibility that must govern the actions of the person responsible for the
treatment.
It seems obvious that EQUIFAX has been fully aware that the treatment of
data carried out through the FIJ violates article 5.1.b) RGPD.
In that sense, due to its clear relevance to the element of guilt, we pass
to reproduce this fragment of document number 8 of those contributed in response to
the proceedings of evidence - “LIA Judicial File. Legal analysis. December 2019 ”-,
document that the respondent previously provided to the AEPD attached to the brief of
allegations to the initiation agreement. The document, as indicated in point 1, has
in order to demonstrate the existence of a prevailing legal interest in the treatment
carried out by the FIJ against the rights, freedoms and interests of the holders of the
data. Well, point 7 of the document - “ Operation of the files of
EQUIFAX with information obtained from publicly accessible sources ”- dedicates a section
to analyze the guarantees that the file intends to implement and in point 1.1., under the
heading "Principle of purpose ", states the following:
“On the other hand, the principle of finality includes the limitation of the subsequent uses of
the data, since the RGPD prohibits in its article 5.1 a) the subsequent treatment of
the data for purposes incompatible with those that motivated its collection, although
exempts from this limitation the use of data for archival purposes of public interest or
scientific or statistical research. [...]. " (The underlining is ours)
It is striking that the respondent has invoked in her brief of allegations to the
initiation agreement that, regarding the implications derived from the regulations of
reuse of public sector information, “ [...] the sources from which they have been
collected the data to which the claims made refer and in general
the data incorporated into the FIJ expressly enables the reuse of said
information, so without prejudice to the application of article 4.6 of the LRISP, the
Reference to said rule will not be relevant as an obstacle that allows the
data collection by the former. " (The underlining is ours) And,
then refer to the general conditions of reuse of the website
of the Official State Gazette.
It is surprising that he invokes the information on the BOE website when the rule that
It is applicable with regard to the reuse of public sector information.
is article 4.6 of Law 37/2007, of November 16, on “ reuse of the
public sector information ”, according to which when the documents contain
personal data the applicable legal regime is that of the regulations of
data protection and, therefore, respect for the principle of limitation is mandatory
of the purpose provided in article 5.1.b) RGPD.
Let us also remember that the AEBOE's response to the
consultation made by claimants 35 and 55 about whether it was lawful for
your personal data included in the notification announcements could be processed
in order to integrate a database for profit. The AEBOE
answered:
"[...] In accordance with the foregoing, this State Agency considers that the reuse
of personal data such as names, surnames, ID associated with debts,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 139
139/184
published in the BOE, that you. requests, it would not be a lawful treatment of data from
personal nature of those provided for in art. 6 of the GDPR and, therefore, in accordance with
what is regulated in both Regulation (EU) 2016/679 and Organic Law 3/2018, of
December 5, they should not be reused by third parties. "
4. The legislator has established various measures that contribute to respecting the principle
limitation of the purpose and that seek to reduce the impact on the right to
protection of data of the administered that could derive from the obligation that
have the Public Administrations to publish through newspapers and bulletins
official administrative acts that contain personal data.
In this sense, it is worth mentioning, on the one hand, articles 40.5 and 46 of the LPACAP.
On the other hand, we must refer to the fact that Law 15/2014, of September 16, on
rationalization of the Public Sector and other administrative reform measures, introduced
the Twenty-first Additional Provision of Law 30/1992, on the Legal Regime of
the Public Administrations (LPAC) from which the implementation of the
06/01/2015 of the Single Edictal Board, where acts of all the
Public administrations.
The notifications announcements that are published through the BOE are integrated into
a document " of an independent nature ", called "Supplement of
notifications ”. Royal Decree 181/2008, of February 8, on the organization of the newspaper
official Official State Gazette, modified as a result of Law 15/2014, configures for the
Notification supplement a different regime from the one provided for by the BOE. Between
other specialties, the aforementioned Royal Decree, restricts to three months from its
publication the period of time during which the Supplement for notifications will be
accessible to the public.
In accordance with Royal Decree 181/2008, the official gazette is structured as (i) “ The content
of the "Official State Gazette ", which includes sections I to V and the " Section of the
Constitutional Court ”, and in (ii)“ a Supplement of notifications of a nature
independent ” in which the notification announcements will be inserted.
Article 11 of this Royal Decree specifies that “ The State Agency Official Gazette of the
The State will guarantee, through open telecommunication networks, access
universal and free to the electronic edition of the official state gazette, without prejudice to
the provisions of article 14.4. " And article 14.4 says:
"4. Notwithstanding the provisions of the previous sections, the Supplement of
notifications will remain freely accessible in the electronic headquarters of the Agency
State Official State Gazette for a period of three months from its
publication, after which the verification code of the
corresponding notice of notification, which will be unique and not foreseeable.
This code can only be conserved, stored and processed by the interested party.
or its representative, as well as by the bodies and Administrations that may
specify it for the exercise of the powers that correspond to them.
The State Agency Official State Gazette will adopt measures aimed at avoiding the
indexing and automatic retrieval of verification codes by subjects
other than those contemplated in the previous paragraph.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 140
140/184
Without prejudice to the provisions of the first additional provision, once the
period of three months established in the first paragraph, the State Agency Bulletin
State official will provide, upon request, the information contained in the announcement of
notification only to the interested party or their representative, the Public Prosecutor, the
Ombudsman, and to the Judges and Courts. " (The underlining is ours)
In the same sense, article 11 of the Royal Decree specifies that " The State Agency
Official State Gazette will guarantee, through open telecommunication networks,
universal and free access to the electronic edition of the official state gazette, without
prejudice to the provisions of article 14.4. "
The precautions that Royal Decree 181/2008 adopts regarding the Supplement of
notifications, the content of which is notification announcements, are not exhausted here.
Article 13 restricts the printed edition of the Supplement to notifications to
in the circumstances described in section 1.a). And article 17, which provides that
the State Agency Official State Gazette (hereinafter AEBOE) will offer in its
electronic headquarters, with a differentiated character from the electronic edition of the BOE " a
of free data that allows the search, retrieval and printing of the
provisions, acts and announcements published in the "Official State Gazette", it adds:
“ However, search, retrieval and printing, through the database service
data, of the notification announcements published in the Notification Supplement,
it will only be possible during the three-month period provided for in article 14.4. " (The
underlined is ours)
Any citizen who wishes to do a search for the Notifications Supplement
published in a BOE three months after its publication you will not find it. In its
Instead, the BOE website offers this message: "In accordance with article 14
of Royal Decree 181/2008, of February 8, on the organization of the official gazette "Boletín
Official of the State ", the Supplement of notifications corresponding to this date has
no longer freely accessible. More info"
Well, while in accordance with article 14.4 of the regulatory norm,
after the period of three months, they will only be able to access the information
contained in an advertisement, with prior authorization from AEBOE, the interested party or their
representative, the Public Prosecutor, the Ombudsman and the Judges and Courts,
we find ourselves with the paradoxical situation that EQUIFAX has this information
in the FIJ, accessible to its associates for a period of six years in accordance with the
documentation that is in the file.
The claimed, aware of the time limit imposed by article 14.4 of the Real
Decree 181/2008, has adopted the technical measures to store the information and
dispose of it beyond the three months following publication.
The FIJ RAT, both the final version and document 4 of the first version, which
EQUIFAX has contributed in response to the test carried out, as it shows. The
section 8 of the RAT, under the heading "Information suppression periods ", says:
" The information is accessible for 3 months and then is stored in a directory
Linux in order to be able to work later with the data. Bliss
The information, saved in “PDF” format, will be available for a period of 10
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 141
141/184
years from the date of publication, and this with the sole purpose of being able to attend the
possible claims and respond to requests for information by the
competent administrative body, as well as the courts and tribunals. " (The
underlined is ours)
5. In its allegations to the proposed resolution EQUIFAX states that this
principle has not undergone any modification in the RGPD, as it reproduces almost
in full what was established by Directive 95/46 / EC on it, and then goes on to
affirm that " within the regime of transposition of the Directive into our Law [...]"
Article 29.1. of the LOPD “did not appreciate that [...] it was contrary to the principle of
limitation of purpose enshrined by Directive 96/46 / CE, ” the treatment of
personal data carried out by those who are dedicated to the provision of services
of information on the capital solvency and credit consisting of the collection of
personal data obtained from the records and sources accessible to the
public established for this purpose.
It also affirms that “ the legal basis that justified the collection of the data object of
publication [was] obtain information on the capital solvency and credit of the
interested parties based on the available information related to them ”, and that
"This legal basis was expressly included in the LOPD, and should
its article 29.1 be interpreted in the sense that [...] the treatment was covered
in the prevailing legitimate interest of those who proceed, as my principal, to
treatment of the data, since there is an unequivocal legal authorization for said
treatment could take place ”. (The underlining is ours)
The defendant concludes her argument regarding the " breach of the principle of
purpose ” with the paragraph that we reproduce:
" In short, the data is not processed in this case
contained in the FIJ for a purpose other than the one that motivated its collection, since
this was precisely what justified the maintenance of the data in the system and its
access by the entities that are adhered to the FIJ in order to
know the solvency and credit of its debtors or potential debtors,
on the basis of a prevailing legitimate interest that, at least until entry into
validity of the LOPDGDD was expressly authorized by the regulations of
personal data protection." (The underlining is ours)
In the same line of argument it says that " this compatibility (or that character" does not
different ”from the purpose) was appreciated even after the entry into force
of Royal Decree 181/2008, of February 8, on the organization of the official gazette «Boletín
Official of the State »(hereinafter,“ RDBOE ”), to which the
Proposal". Also, after the entry into force of Law 37/2007, of 16 December
November, on reuse of public sector information and Law 19/2013, of
December 9, transparency, access to information and good governance . (The
underlined is ours)
He also makes another equally surprising statement: “[...] it must be remembered that
measures adopted by RDBOE, which would reflect the restrictions that
subsequently, with regard to open data, the Group revealed
of Article 29 (hereinafter GT29) in its Opinion 3/2013 on the
limitation of purpose, [...] do not refer to data processing such as that carried out
carried out by my client through the FIJ, in which access to information is
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 142
142/184
limited to creditors or potential creditors of the interested party. These measures, by the
On the contrary, they try to avoid not an access subject to the condition of creditor, real or
potential, but an indiscriminate access to the data that is the subject of publication in the
official newspapers. " (The underlining is ours)
Indeed, the regulation of the principle of limitation of the purpose contained in the
Directive 95/46 / EC is practically the same as that of the text of article 5.1.b) of the
GDPR. It is at this point that we can only agree with what is alleged by the
claimed in its defense against the infringement of the principle of limitation of purpose
attached to it.
The respondent denies the violation of article 5.1.b) RGPD and affirms that the proposal
has made a forced interpretation of Recital 50 of the GDPR. Interestingly, the
The explanation offered is certainly a forced interpretation. Thus, it states that the
Treatment of the data contained in the FIJ does not have a purpose other than that
that has motivated its collection since, precisely that purpose -the one that motivated the
data collection- it is the one that justifies that they remain in the system and that
the adhered entities access them.
This statement is supported by the consideration that the purpose that gave rise to what
called " the collection " of the data is identified with the collection that EQUIFAX makes
of the data published in official newspapers and gazettes and not with data collection
for the original treatment, which is to which the RGPD, like the Directive, is
is referring. Statement that is based, in turn, on the fact that the rule of article 29.1
LOPD established the prevalence of a legitimate interest of those responsible for the
equity solvency information systems such as the FIJ “ since there is a
unequivocal legal authorization so that said treatment could take place "
On this subject, two questions must be specified: the first is that the norm of the
Article 29.1 of the LOPD was repealed by the LOPDGDD which entered into force on
12/07/2018. The second, that the interpretation of article 29.1. LOPD that defends
would mean that under this precept the person responsible for the treatment of
an information system such as the FIJ of compliance with the obligations that
imposed by the LOPD, such as those provided for in article 4.2 LOPD.
Well, article 37 of the RLOPD, " General Regime ", framed in title IV -
Provisions applicable to certain privately owned files - Chapter I
-information files on financial solvency and credit-, established:
"The processing of personal data on financial solvency and credit,
provided for in section 1 of article 29 of Organic Law 15/1999, of 13
December, will be subject to the provisions, in general, in said organic law and
in these regulations. "
In short, at the same time it argues that the principle of purpose limitation does not
has changed its regulation in the Directive and the RGPD -a statement that seeks to support its
thesis that there has not been a normative change between the existing legal regime
during the validity of the LOPD and the one provided for in the RGPD, so having adjusted
its behavior to the same legal regime is the AEPD who, in the face of the identity
of standards, is adopting different solutions - and claims that it does not violate the principle
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 143
143/184
of limitation of the purpose foreseen in the Directive -which was transferred to our Law
internal law in article 4.2 LOPD - because a rule of internal law, which does not have
correlate in Directive 95/46 / EC, article 29.1. LOPD, exempts you from complying with said
beginning. And this, supported by its statement that article 29.1 LOPD “ does not
I appreciate that the treatment to which you referred was contrary to the principle of limitation of
the purpose .
Thus, through the interpretation made of article 29.1 LOPD this
provision has the scope to establish a legal presumption of prevalence of interest
legitimate authority of the entities responsible for files such as the FIJ and to exempt them from
compliance with the obligations imposed by the LOPD, in particular by what here
interest of article 4.2. LOPD.
On the other hand, the claimed party brings up the Royal Decree on several occasions
181/2008, of organization of the official gazette Official State Gazette (RDBOE). Nails
times to affirm that “ this compatibility (or that“ not different ”character of the
purpose) was appreciated even after the entry into force ” of the RDBOE and
others to make inadmissible considerations, such as that the measures adopted by
RDBOE , "do not refer to data processing such as that carried out by me
principal through the FIJ, in which access to information is limited to
creditors or potential creditors of the interested party. "
6. From the preceding exposition, it is concluded that EQUIFAX has been dealing with the
personal data of the claimants through the FIJ in violation of the principle of
limitation of the purpose provided for in article 5.1.b) of the RGPD.
This offense is classified in article 83.5.a) of the RGPD, which establishes:
"Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a ) the basic principles for the treatment, including the conditions for the treatment
consent in accordance with articles 5, 6, 7 and 9; [...] "
On the other hand, for the purposes of prescription, the LOPDGDD qualifies in its article 72.1.a)
the violation of article 5.1.b) of a very serious offense.
SAW
Of the infringement of the principle of legality
1.The RGPD deals in article 5 with the principles that govern the treatment of
personal data and in section 1.a) provides that personal data
They will be treated in a " lawful, loyal and transparent manner in relation to the interested party ". On
In the same sense, Recital 39 says that “ All processing of personal data
it must be lawful [...] "
In accordance with article 6.1 of the RGPD so that the processing of personal data is
lawful must be based on at least one of the circumstances that this precept
relates. Letter f) of article 6.1. provides that the processing of personal data
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 144
144/184
It will be lawful when “ the treatment is necessary for the satisfaction of interests
pursued by the person responsible for the treatment or by a third party, provided that
the interests or the rights and freedoms do not prevail over said interests
fundamental data of the interested party that require the protection of personal data, in
particularly when the interested party is a child. "
The STJUE of 11/24/2011, cited so many times, which declared the direct effect of the
provision of article 7.f) of Directives 95/46, regarding the legal basis of the
prevalence of legitimate interest, indicated that the aforementioned provision establishes two requirements
accumulative so that a processing of personal data is lawful, that is, by a
party, that such processing of personal data is necessary for the satisfaction of the
legitimate interest pursued by the person responsible for the treatment or by the third party or
third parties to whom the data is communicated, and, on the other hand, that the
fundamental rights and freedoms of the interested party ( section 38). Also add, to
purpose of the weighting, which will depend, in principle, on the circumstances
specific to the particular case in question and in the framework of which the person or institution
who makes the weighting must take into account the importance of the rights that
Articles 7 and 8 of the Charter of Fundamental Rights of the European Union
conferred on the interested party (section 40).
Recital 47 of Regulation (EU) 2016/679 contributes to the task of clarifying
the content and scope of the legitimizing circumstance of article 6.1.f) RGPD. The
Opinion 6/2014 prepared by the Article 29 Working Group (hereinafter,
GT29) related to the “ Concept of legitimate interest of the person responsible for the treatment of
data pursuant to Article 7 of Directive 95/46 / EC ”, dated 04/09/2014, facilitates the
interpretation of Article 7.1.f) of the Directive and offers guidelines for the mandatory
weighting of competing interests and rights.
The application of article 6.1.f) RGP requires that there is a legitimate interest of the
responsible for the treatment or the third party; that the treatment is necessary for the
satisfaction of the legitimate interest pursued; and that in the weighting of interest
legitimate party of the data controller or third parties on the one hand and the impact that
about the interests, fundamental rights and freedoms of the interested party causes the
Data processing that is intended to be carried out, on the other hand, the former prevails.
Now, in order to conclude that a certain processing of personal data
is based on the prevalence of the legitimate interest of the person in charge or of third parties against
to the interests or fundamental rights of the owners of the data -as and as
argues EQUIFAX regarding the FIJ-, following the guidelines of the Opinion of the GT29 6/2014,
The analysis must begin by examining whether the legitimate interest invoked (i) is lawful, it is
that is, in accordance with applicable national and EU legislation; (ii) sufficiently
that is, it is articulated clearly enough to allow the
balancing test is carried out against the interests and
fundamental rights of the interested party and (iii) represent a real and current interest, not
speculative.
Therefore, the first element to examine is the legality of the legitimate interest invoked;
that is, if the treatment necessary to satisfy such interest is adapted to the legislation
national and EU Opinion 6/2014 of the WG29 says that an interest can
be considered legitimate " provided that the person responsible for the treatment can pursue
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 145
145/184
this interest in accordance with the laws relating to data protection and with the
rest of the legislation ” .” (The underlining is ours)
The defendant has specified in her brief of allegations to the initiation agreement what is
the legitimate interest that the FIJ seeks to satisfy with the data processing carried out and
states that it is a double interest:
(i) An interest linked to the assessment of the solvency of those affected and (ii) an interest
linked to fraud prevention. Regarding the first one - linked to the evaluation
of solvency - considers that they hold it themselves, EQUIFAX; the third parties that
they consult the information contained in the file and the borrowers and consumers.
It justifies the interest linked to the assessment of the solvency of which she is the holder in
that information systems related to information on solvency
are a necessary tool to understand the risk that may be incurred by
borrowers in their operations and, it states, that the legislator implicitly acknowledges
that function of information systems related to information on
solvency by having articulated in article 20 of the LOPDGDD an iuris presumption
tantum of legality of the treatment in relation to the files to which that
precept. It also invokes the STJUE OF 12/18/2014 (case C-449/13) which recognizes the
possibility for the lender to go to these sources to assess the creditworthiness of the
consumer.
Regarding the interest associated with the assessment of the solvency that the
third parties that consult the information contained in the FIJ explains that, through the
file, obtain complete information on the circumstances that occur in the
potential borrower by joining the one that the credit institution obtains from the
information regulated in article 20 of the LOPDGDD. In his opinion, the recognition
of this legitimate interest of third parties is reflected in the Preamble of the Circular
1/2013, of May 24, of the Bank of Spain, on the Information Center of
Risks and obligations that, in order to make the principle of granting the
responsible credit, impose Law 16/2011, of June 24, on credit agreements to the
consumption and Law 5/2019, of March 15, regulating credit contracts
real estate.
It also preaches a legitimate interest related to the assessment of the creditworthiness of
borrowers and consumers, which justifies that a more correct valuation of the
Risk in granting credit will allow better conditions in granting it
and will benefit all consumers, which leads him to conclude that therefore " the
legitimate interest pursued by the treatment also has a dimension of interest
social ”.
Regarding the legitimate interest linked to the prevention of fraud, it says that through
of the data processing carried out through the FIJ facilitates the borrowing entities
information that allows them to verify if the information they have and that they associate with
certain data is consistent or inconsistent with that contained in bulletins and
official newspapers and adds that the AEPD revealed the existence of an interest
legitimate in the common fraud prevention systems that is reflected in the
Legal Cabinet reports 318/2013, 105/14, 106/14, 103/16 and 256/16.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 146
146/184
2. Thus, the interest of the data controller will be legitimate if it is "lawful", it is
that is, if the treatment necessary to satisfy it is respectful with the legislation
applicable national and EU Therefore, from the point of view of the GDPR
It will be necessary to determine if the data processing that the complainant carries out through
of the FIJ complies with the rules that regulate the fundamental right to the protection of
data and, in particular, the principles that govern the treatment.
As has been stated in the preceding foundation, it is proven that the
treatment that EQUIFAX has been doing of the personal data of the claimants
violates the principle of purpose limitation provided in article 5.1.b) of the RGPD.
This breach has the consequence of causing the legitimate interest
invoked by EQUIFAX, on whose alleged prevalence supports the foundation
legal data processing carried out (article 6.1.f, RGPD), cannot comply with the
legality requirement.
Ultimately, the interest defended by the claimed is incompatible with compliance
of the law that regulates and guarantees the fundamental right to data protection
personal. That interest requires for your satisfaction a data processing that
clearly violates the RGPD and, as stated in Opinion 6/2014, “[...] the
data controller […] can pursue any interest, as long as it does not
is illegitimate. "
The illegality of the interest pursued by EQUIFAX is reinforced by the fact that the
data processing carried out by the FIJ not only violates the principle of limitation
of the purpose (article 5.1.b RGPD), but, as will be explained later,
We believe that it violates other provisions of the RGPD: the principle of accuracy of the
data (article 5.1.d); article 14 of the RGPD in relation to article 5.1.a) and the
data minimization principle (article 5.1.c).
Based on this circumstance, it would not be necessary to carry out the
balancing or balancing between the interest invoked by EQUIFAX and the impact that
the treatment supposes on the fundamental right of the administered ones, by the
simple reason that the first of the conditions for applying the
legal basis of article 6.1.f) RGPD following the system offered by the
Opinion 6/2014 of the GT29.
However, we now make such a weighting between the interest defended by EQUIFAX
and the rights and interests of those affected.
In the first place, article 6.1.f) requires that the treatment be " necessary", in the
sense in which the concept of necessity is interpreted by the European Court of
Human Rights (ECHR). Without prejudice to the fact that the treatment of the data of the
claimants is "useful", "desirable" or "reasonable", as specified by the ECHR in its
Judgment of 3/25/1983 the term "necessary" does not have the flexibility that is implicit
in those expressions. What EQUIFAX qualifies as a legal interest pursued through
of the processing of personal data incorporated into the FIJ - know the debts and
claims of natural persons to give " security to commercial traffic",
“Prevent delinquency” and “assess the financial solvency” of these people - you can
obtained by means of other instruments that do not suppose such a resounding attack on the
fundamental right protected by the GDPR. For this reason, the media should be consulted
less invasive to serve the same purpose. "
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 147
147/184
At this point we refer to the report of the Legal Office of the AEPD 372/2016
that, on the occasion of the evaluation of a processing of personal data obtained from
public sources with the purpose of analyzing the solvency of their holders, pointed out that
“ Need is not to be confused with convenience. The prosecution of solvency
economic could be considered, in accordance with the terms of the consultation,
convenient, but in no case necessary [...]. Credit or solvency risk
debtor's economic risk is a risk that is not at all exclusive to a company of
insurance, but typical of any commercial or financial relationship . " (The underline is
our)
Focused on weighing the interests and rights faced, we have to go
to the criterion repeatedly followed by the Constitutional Court on the
constitutionality of a restrictive measure of a fundamental right (SSTC
66/1995, of May 8, FJ 5; 55/1996, of March 28, FFJJ 6, 7, 8 and 9; 207/1996, of
December 16, FJ 4 e), and 37/1998, of February 17, FJ 8)
To check if a restrictive measure of a fundamental right exceeds the judgment
proportionality, it will be necessary to verify that it meets the three requirements or
following conditions: if that measure is likely to achieve the objective
proposed (suitability judgment); if, furthermore, it is necessary, in the sense that it is not
there is another more moderate measure to achieve this purpose with the same
efficacy (judgment of necessity); and, finally, if it is weighted or balanced,
for deriving from it more benefits or advantages for the general interest than damages
on other goods or values ​​in conflict (judgment of proportionality in the sense
strict).
In the present case, it cannot be admitted that the judgment of necessity is fulfilled, therefore
indicated and because there are other alternatives to obtain the information on the
economic solvency.
The suitability judgment is not met either, since, for the treatment that
carried out by the IJF could really satisfy the interests it invokes - linked to the
information on the financial solvency and the prevention of fraud-, it would be
It is essential that the information on the alleged debts attributed to the
claimants were up-to-date - the principle of accuracy that the FIJ does not comply with - and,
in addition, have data of those affected that fully identify them. In the wake of
the entry into force of the LOPDGDD and by virtue of the provision of its provision
additional seventh, in the case of publications of administrative acts - in which no
The complete DNI / NIF information will appear - unequivocal identification will be impossible
of the owners of the data. It is added for the purpose of suitability that the information
that is provided represents a small part of the people who have debts
pending with Public Administrations, only to the reduced group that does not
has been notified personally and has forced the Administration to carry out the
relevant notification through the publication of announcements or edicts.
And, finally and fundamentally, there is no balance between the interests that
EQUIFAX pursues through the FIJ and the damages suffered by the holders of the
data. To the absolute inexistence of an expectation of the owner of the data to which
produces a treatment of them, collected from an official newspaper, by a
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 148
148/184
private company that prepares and operates a file with solvency information
negative, the obvious negative impact that this treatment produces on the
owner of the data.
In the matter we are examining, the fundamental right that empowers its owner to
dispose of the personal data that concerns them must prevail over what
EQUIFAX considers your legitimate interest.
The obvious convenience that it can represent for a certain sector of the
commercial activity to see the risk inherent in their activity diminished is not proportional
the clear violation of the fundamental right recognized in the EC (Article 18.4) and
in the Charter of Fundamental Rights of the EU (Article 8) that is perpetrated with the
data processing carried out by the FIJ. Following the same criteria, it would be necessary to
allow future intrusions " à la carte" when other sectors of the activity
they also consider it very convenient for their interests. With total
clarity has ruled on this issue the STS of 06/20/2020 (R. cassation
1074/2019), whose sixth Legal Basis says, regarding one of the
issues of appeal raised in the writ of admission of the appeal, which
“The commercial interests of a company responsible for a data file have
to yield before the legitimate interest of the owner of the data to the protection of the same ”.
Nor is it admissible to justify this interference with fundamental law in the
function that the claimed claims are attributed: that of being a necessary tool for
know the risk that borrowers may incur in their operations that
affects the proper functioning of the economic activity related to the
creditworthiness.
On the other hand, the different legal norms that refer to the consultation of the
solvency information systems to comply with the principle of credit
responsible - cited in detail by the claimed in its brief of allegations-
always make a very clear precision: that information systems on
solvency and the measures adopted must fully respect the regulations of
Personal data protection.
As a complement to the above, another element to be assessed in this weighting but
not related to the fundamental right guaranteed in article 18.4 EC, is the
relative to the "interests" of those affected by this treatment; interests (without the adjective
of “legitimate”) that article 6.1 f) of the RGPD also takes into consideration in the
confrontation with the legitimate interest of the data controller or third parties
to whom the data is communicated. Thus, it would be appreciated - following the report of the
Legal Cabinet 372 / 2016- an interest in favor of the claimants in knowing and giving their
consent to carry out a processing of your personal data that
influence your future relationships with credit institutions.
Ultimately, the conclusion of the weighing trial could in no case be
favorable to the prevalence of interest that EQUIFAX intends to satisfy through the
FIX.
This conclusion is not altered in light of the arguments that EQUIFAX has
wielded in its brief of allegations to the initial agreement in favor of the prevalence
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 149
149/184
of the legitimate interest that it invokes. On the contrary, the arguments adduced
- "evidence" in the terminology used - confirms the illegality of the
data processing carried out by the FIJ, since the circumstances alleged
must be rejected for obvious reasons derived from what has been argued up to
moment. However, we now analyze the arguments or "evidence" alleged
in favor of the prevalence of the “ legitimate interest of Equifax, its user companies and
the company itself ” on the rights and interests of the data subjects:
to. The recognition that the LOPD made, through article 29.1, of the prevalence
of the legitimate interest that she invokes. It adds that the currently applicable regulations do not
has changed substantially with respect to the previous one, but rather that “the legal bases and
principles applicable to the treatment remain unchanged as a consequence of the
entry into force of the RGPD ”.
b. The fact that the LOPDGDD, article 20, establishes a presumption iuris tantum
of prevalence of the legitimate interest of credit information systems. It states
that, since “ the legitimate interest that justifies the treatment [of the
credit information of article 20 LOPDGDD] is identical to that pursued by the FIJ ” and
that “ the impact on the rights and interests of the interested parties as a consequence
the processing of your data in the FIJ is [is] substantially similar to that generated
the processing of your data in credit information systems ", article 20
LOPDGDD constitutes an evident indication of the prevalence of the legitimate interest that the
FIJ aims to satisfy.
c. The reference to the jurisprudence of the CJEU, which is specified in the aforementioned STJUE of
11/24/2011.
d. The attitude of the AEPD, which, in its opinion, has been “ recognizing up to now the
legality of these systems without having carried out a requirement, warning or
any warning addressed to my client, as has been analyzed in the
third claim of this writing. " To which was added the knowledge that the AEPD had
noted that ASEDIE's draft Code of Conduct included an examination of the
prevalence of the legitimate interest of the entities that manage these systems of
information without having made any statement contrary to such matter.
Well, all the elements, considerations or evidences - in the words of the
claimed- favorable to the prevalence of the legitimate interest that EQUIFAX seeks
satisfy through the FIJ must be rejected.
Regarding the first factor that he argues, this clarification should be made:
Even though article 29.1 LOPD supposedly established a presumption iuris
tantum of prevalence of the legitimate interest defended in favor of the
information on financial solvency and credit characterized only, so that
here it is of interest, because of the source or origin from which they obtained the information, as a result of the
STJUE so often cited, which declares the direct effect of article 7.f) of the Directive
95/46, it could not be ignored that these information systems on
patrimonial solvency referred to in article 29.1 LOPD were obliged to
comply with the principles that governed the processing of data in the LOPD, the principle
quality of the data and specifically the limitation of the purpose or the
accuracy (articles 4.2. and 4.3 LOPD), with the consequences that this entailed
Regarding the legality of the treatment carried out by EQUIFAX through the FIJ. Deny
this objective reality with the argument that “the legal bases and principles
applicable to the treatment remain unchanged as a result of the entry
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 150
150/184
in force of the RGPD ”, is to mix interestingly what is comparable with what is not.
The principles that govern the treatment of
the data and the legal bases of the treatment, but article 29.1 LOPD was neither
one thing or the other.
The claim to extend the iuris presumption must also be rejected.
tantum that the LOPDGDD has established in favor of information systems
credit of article 20 with information systems such as the FIJ. It, for the reason
fundamental that, in the system designed by article 20 LOPDGDD, it is the
creditor, who obviously maintains a relationship with the debtor, who communicates the
personal data to the file, so the principle of limitation of the
purpose and, from that point of view, the treatment necessary to satisfy that
interest is respectful of the principle of limitation of purpose.
Second, because these files are surrounded by guarantees to comply with the principle of
accuracy. In them, it is the creditor, in general, who communicates the debt to the
file. Nothing to do with the information that is collected from an advertisement published in a
official diary.
On the other hand, the holders of financial solvency files, with the purpose of
respect the principle of accuracy, articulate rigorous mechanisms of their own accord and
effective for updating the data and thus avoid incurring in an infringement of the
data protection regulations. Thus, in this type of files the associates that
report an unpaid debt must confirm with a certain periodicity the
information reported to the file. So the reported incidents are not
maintained in these systems sine die, but their permanence is subject to the
confirmation to the system. When reiterated by the creditor, the information must have been
verify that the default situation continues - which you can perfectly do now
that it is he who knows first-hand if the debt has been extinguished or not- and
At the same time, if the creditor does not repeat the communication of the debt, the system of
Credit information automatically proceeds to remove that entry. If
this were not enough, the legislator of the LOPDGDD attributes to the reporting creditor the
obligation to guarantee the accuracy of the debt, without prejudice to the fact that the RGPD,
Article 26, grants the reporting creditor the status of co-responsible together with the
entity that maintains the credit information system.
Third, for the remaining guarantees that are established in favor of the holders of the
data: guarantees of transparency and limitation of the time during which the
information will be available. The inclusion of a debtor's data in one of these
systems provided for in article 20 LOPDGDD has been preceded by the information
on the adverse consequences that would arise for him if he did not pay the
Debt. In addition, the LOPDGDD in article 20 has doubled the
guarantees in favor of the debtor regarding the system provided for in article 29.2 LOPD and
38 and following of the RLOPD: the maximum inclusion time has been reduced to 5 years
from the expiration of the obligation (article 20.1.d, LOPDGDD) and the entity
The person responsible for the information system is obliged to keep the
data of the affected party during the thirty days following the notification of the debt to the
system (article 20.1.c, LOPDGDD)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 151
151/184
The two remaining factors cited by the complainant to support the prevalence of the
interests that it defends are equally unacceptable and with respect to them, we refer to
the considerations made in other sections of this proposed resolution.
3. The principle of proactive responsibility obliges the data controller to
be in a position to demonstrate that the treatment carried out is covered
on the legal basis that it invokes.
Regarding the analysis that the respondent should have carried out before the
effective application of the GDPR to verify the existence of a legitimate interest
prevailing under article 6.1.f) which, as it has been stating, constitutes
the legal basis for the data processing carried out through the FIJ,
is worth mentioning, due to its obvious importance in the valuation of the element
culpabilistic of the offense, the claim that he has made that with the application
effective GDPR did not consider it necessary to carry out an analysis that indeed
The legitimate interest that
defends. It has stated in its brief of allegations in this regard that the
" Evidence cited together with the fact that, in his opinion, the requirements were met
established by the GT29 in its Opinion 6/2014 ”sufficiently accredited the interest
legitimate whose prevalence it defends.
Thus, it states that it considered unnecessary to carry out a legitimate interest analysis
specific to the FIJ since “[...] the regulation itself when weighing
interests applicable to the treatment regulated in article 20 of the LOPDGDD already
it was enough to supplement the adoption of this measure "
It should be added that the document on the analysis of the prevailing legal interest
prepared in December 2019 that has provided both in the test phase and in annex
to your brief of allegations to the initiation agreement, (LIA Judicial File, Legal Analysis,
December 2019), to which we have referred in the Legal Basis
above and will be done in the following Legal Basis, highlights its
perfect knowledge that the treatment carried out violated principles of
treatment provided for in the RGPD and that, therefore, the application of the
Article 6.1.f) RGPD as the legal basis for the treatment.
4. The respondent states in its allegations to the proposed resolution that
collected in the proposal is enough to refute what was stated in their allegations
to the initiation agreement; allegations that he considers reproduced and complemented with what
which now exposes:
That EQUIFAX has an “ evident legal basis, the concurrence of an interest
legitimate prevailing, for the treatment of the data in the FIJ. " Thus, it says that “[...]
These information systems were expressly equipped with a
presumption of prevalence of the aforementioned legitimate interest ”. (The underlining is ours)
Later he adds:
“Obviously, article 29.1 of the LOPD did not regulate the basic principles or the
legal bases of the treatment, but determined that, on the basis of principles and
legal bases identical to those contained in the RGPD, data processing
collected in it was lawful. That is, either article 29.1 of the LOPD is
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 152
152/184
exceeded the regime contained in the Directive, enabling nothing less
that a treatment that violated its articles 6 and 7 in the terms assumed by the
Proposal for a Resolution, something that no Court or the Institutions of the Union
European (and even less the AEPD itself) even hinted at any time or,
the principles and legal bases remaining unchanged, this treatment is so
according to the RGPD as it was to the Directive. This fact is undoubted, by far
that it is a question of forcing the argumentation in another sense. " (The underlining is ours)
It also states that in its previous allegations it proved that, in the
this case, concurred triple -idoneidad judgment, necessity and proportionality strictu
sensu - required by constitutional jurisprudence for the treatment carried out
by the FIJ it will be in accordance with the RGPD; weighting that, he affirms, is favorable to
legitimate interest that justifies it. Regarding the aforementioned triple judgment, it is limited to
make various considerations in relation to what was argued in the proposal of
resolution. Considerations that, for the most part, do not conform to the truth or not
they respect the context in which they were made. We reproduce some of them:
“[...] the Proposal for a Resolution: [considers] that the legitimate interest underlying the
processing of data in the FIJ is nothing more than a mere "convenience" for
"Perpetrate" what is called "intrusions a la carte" in the rights of the
interested parties (the expressions used are from the Proposed Resolution, not from my
represented). "
“[...] in the opinion of the AEPD the [CIRBE is] the only information system that contributes to
the purpose pursued by the treatment carried out by the FIJ. "
“[..] making the AEPD the principle of reasonable expectation (derived from nothing less
the fact that these systems exist in our law and have been expressly
regulated by it since 1992 and that the debtor must reasonably expect
that your creditworthiness will be assessed before obtaining a loan) in the “reasonable expectation”
of the delinquent debtor that their debt is not known and the financing is granted, even
when this damages the principles of responsible credit enshrined by the
legislator".
From what is alleged by the claimed in that brief in defense of the alleged non-existence
of the violation of article 6.1. GDPR two relevant conclusions are drawn:
The first, that, in the opinion of the entity, the legal basis for data processing
made by the FIJ during the validity of the LOPD and after the
CJEU of 11/24/2011 was based on a presumption of prevalence of interest
legitimate established in article 29.1 LOPD. I precept that, otherwise, no
contained no guarantee or safeguards in favor of the data subjects. This
despite the fact that this interpretation of article 29.1 LOPD defended by EQUIFAX included
in contradiction with the principle of limitation of the purpose contained in article 4.2.
LOPD.
The second consequence is that, to the extent that the respondent constructs the
basis of the data processing carried out by the FIJ during the validity of the
LOPD in a rule of internal law, namely, in article 29.1 of the LOPD -because
It is on this article that he bases the dispensation of respecting the imposed obligation
by article 4.2. LOPD- cannot continue to maintain that there has not been a
substantial change between the legal regime established by the LOPD and the
legal introduced by the RGPD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 153
153/184
The direct consequence of his allegation regarding the non-existence of a violation of the
Article 6.1 RGPD is that it invalidates its own argument that the AEPD,
With the opening of this sanctioning file, it has violated the principle of
legitimate confidence.
Pursuant to the alleged violation of the principle of legitimate confidence attributed to
The AEPD has been holding that, according to the doctrine of the Contentious Chamber
Administrative of the National Court, taking into account that it is not admissible
introduce a change of criterion in a sanctioning procedure and that in the
In this case, the change in criteria could not be covered by the existence of a change
normative between the Directive and the RGPD since the principles and legal bases
of the RGPD are essentially those established by the Directive, the
file of the file and also the element of the
guilt, which would also lead to the filing of the absence procedure
of sanctioning responsibility
These assertions of the defendant, which are examined in the Fundamentals
Previous legal, start from a premise exposed by that entity with
reiteration: that there has been no regulatory change between the Directive and the RGPD that
could support the change of position of the AEPD since the principles and bases
GDPR legal regulations are almost identical to those established by the Directive
In light of the exposition that the defendant makes to deny the infringement of the principle
of legality that is imputed to him as well as of the manifested to deny the infraction of the
purpose limitation principle, it is obvious that the basis of his allegation is not
the rules of the Directive (that is, the principles and legal bases contained in it
establish) but the reference to a rule of domestic law, article 29.1 LOPD,
which is neither in force at present, nor does it derive from the transposition of the Directive
95/46 / CE, nor does it exist in the GDPR.
Ultimately, as noted in the motion for a resolution, the respondent claims
that it is not possible to justify the change of criteria of the AEPD -materialized in the
sanctioning file that concerns us- in an alleged regulatory change every time
that said regulatory change has not entailed a change in the legal bases of the
treatment and the principles that govern said treatment, setting the terms of
the comparison in the Directive and the GDPR. And at the same time, in parallel, the
claimed, argues as a basis for the treatment that it had been carrying out during the
Regime of the LOPD article 29.1 LOPD, provision that, as indicated in the
does not contain a legal basis for the treatment or a guiding principle for the
treatment provided for in Directive 95/46 / EC and which, furthermore, is not a consequence of the
transposition of Directive 95/46 / CE into Spanish law.
5.Of the preceding exposition and the documentation that is in the file
regarding the claimants, it is proven that EQUIFAX has been dealing with the
personal data of those affected included in the FIJ violating the principle of legality,
since the treatment was not based on any of the legal bases that relate
Article 6.1 GDPR.
The conducts in which the data processing carried out by
the claimed violating article 6.1 RGPD, in relation to article 5.1.a) of the
same rule, consisted of collecting data published in bulletins and
official journals and, also occasionally, on bulletin boards or electronic headquarters of
Public Law entities; in the storage of that information and in the
eventual transfer of these data to third parties, associates or clients of EQUIFAX.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 154
154/184
The infringement of article 6.1 RGPD is typified in article 83.5.a) RGPD that
establishes:
"Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a ) the basic principles for the treatment, including the conditions for the treatment
consent in accordance with articles 5, 6, 7 and 9; [...] "
On the other hand, for the purposes of prescription, the LOPDGDD qualifies in its article 72.1.
as a very serious infringement “ b) The processing of personal data without concurring
any of the conditions of legality of the treatment established in article 6 of the
Regulation (EU) 2016/679 ”.
VII
Of the infringement of the principle of accuracy
1. Article 5.1.d) of the RGPD, regarding the principle of accuracy, provides that the data
personal data subject to treatment will be “ accurate and, if necessary, updated; I know
will take all reasonable measures so that they are suppressed or rectified without
delay personal data that are inaccurate with respect to the purposes for which
are treated ('accuracy') "
Recital 39 adds that all reasonable measures must be taken to
ensure that inaccurate personal data is rectified or deleted
The principle of accuracy implies that the data controller who has the
personal information will not use such information without taking steps that
guarantee, with reasonable certainty, that the data is accurate and is
updated. In turn, the obligation to guarantee the accuracy of the data must
considered in the context of the purpose of the treatment. The GDPR imposes the
responsible for the treatment the obligation to keep the data updated since
says that the data will be accurate "and, if necessary, updated"; need that
is connected with the purpose of the treatment.
EQUIFAX has stated that the purpose of the treatment it carries out through the
FIJ is linked to the " assessment of the solvency of those affected ". Therefore, only
If the data included in the file reflect the current situation, they will be suitable for the
Intended purpose of evaluating the creditworthiness of borrowers.
The sources from which the FIJ draws are official newspapers and gazettes. The
The information contained therein, and accessed by the FIJ, is pertinent to
that the Public Administration can fulfill the purpose it seeks to satisfy and that has
justified that personal data of the administered ones were made public. Without
However, this information is not adequate for the purpose of a file such as the
FIX. The disparity and incompatibility between the purpose of the original treatment and the
pursued by the FIJ determines that the information that this file collects is
fragmentary - it has only part of the information related to the debt and in
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 155
155/184
sometimes only a part of the identifying data of the alleged debtors- and
it is also disconnected from the future of debt.
The debt is linked to a natural person in an act of notification that sees the light
public at a specific time. The avatars that from that moment can
affect the existence of the debt and its link to the alleged debtor are
countless. Among them, to mention a few, the payment by the debtor or the execution
of the debt by the Administration, of which EQUIFAX will not have
news if the notification of the acts of the execution procedure is carried out
personally and it is not necessary to go to the notification by publishing
edicts.
In this way, the information collected by the FIJ is kept without updating,
unalterable in the file for a maximum period of six years computed from the date of
date of publication, unless the affected party exercises the right of deletion or
rectification. In the present case, with respect to the claimants, there are annotations
of non-payment published in 2013, although the vast majority of the announcements were
published between 2016 and 2019.
The answer that EQUIFAX has given to the question asked in the test phase
about the mechanisms for updating the information incorporated into the FIJ is a
implicit acknowledgment that it lacks the means to verify its accuracy. So that
the information that the FIJ collects was up-to-date, and thus be able to guarantee the
principle of accuracy, it would need the collaboration of the holders of the
data or the creditor Administration, which obviously does not happen.
It is enough to remember how the entities that maintain information systems
credit established in article 20 of the LOPDGDD act to comply with the
principle of accuracy in order to appreciate the absurdity involved in maintaining a
file for up to six years debts that one day were published in an official gazette and
which nothing else is known from that date. The mechanics of
internal functioning of such systems that their managers have designed with the
purpose of complying with the principle of data accuracy.
A proof that the FIJ cannot guarantee the accuracy of the information that
offers is that more than 25% of the claimants, before going to the AEPD, had already
provided to EQUIFAX documents that demonstrated that the FIJ was
publishing inaccurate information associated with your data. In the file were
linking extinguished debts to your personal data. We refer to
documents of the claimants identified with the numbers 19,22,27,30,
37,38,40,41,42,50,52,53,54,59,61,62,72,73,75,77,80,83 and 87.
The violation of the principle of accuracy incurred by the FIJ has another
manifestation, which concerns the identity of the presumed debtors. The
Publications from which the FIJ collects information do not always allow the identification of
undoubtedly to the alleged owner of the debt. As evidenced by the
documentation in the file of the presumed owners of the debts that are
registered in the FIJ are frequently identified not by the NIF, but by name and
two surnames combined with an address. It should be noted in this regard that the great
Most of the incidents that appear in the FIJ associated with the claimants are
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 156
156/184
prior to 2018 and that, as of 12/07/2018 (date of entry into force of the
LOPDGDD) in accordance with the provisions of the seventh Additional Provision of the
LOPDGDD the address information is not included in the notifications by means of
announcements and publications of administrative acts carried out by any
Public administration.
The seriousness of this fact is evident when the EQUIFAX associate has access
to information that does not unequivocally identify the person to whom it refers
your query and then tries to identify it "by approximation"; this is, once
searches the FIJ for the data that identifies the person you want
contract with him, if the FIJ does not have the NIF of that person registered, it will provide the
associate of EQUIFAX the information available from people who have names and
matching surnames for the associate, on the basis of verifying if any of the
addresses coincide with that of the person you want to hire, you can determine if this
meets the required solvency conditions. Situation that gives rise to that, when
the alleged debtor exercises access to EQUIFAX -as long as the claimed party does not
has your NIF included in the FIJ- requires, for identification purposes, the addresses
that he has had over the years as a way to determine whether or not he is the
debtor. This absolute indeterminacy of the person of the debtor, in other words,
inaccuracy of the data, has not been an obstacle so that, previously, the associate
EQUIFAX has verified that in the FIJ there are one or more people with a name and
last name coinciding with that of the person who intends to contract with him and, when in doubt as to
Not him to whom the FIJ refers, I granted him the initial presumption of insolvency. Situation
This is clearly reflected in the case of claimants 18, 26, 27, 32, 36 and 94.
Thus, the file owned by the claimed party violates the principle of accuracy.
also with regard to the identification of the holders of the debts. The conclusion
that we can extract is that it can hardly serve the legitimate interest that
wants to attend linked to " fraud prevention ".
On the other hand, in view of the particular circumstances that determine that the
Administration is forced to notify a managed by publishing
of advertisements (assumptions of article 44 LPACAP), a rigorous application of the
accuracy should lead to not admit, without further verification, as a datum
exact information regarding the address that until the entry into force of the
LOPDGDD appeared published in the official newspaper or gazette. This, despite the fact that
the reason for notifying by posting ads is not at all
cases where the address is wrong or the interested party is unknown. If the
information provided by EQUIFAX in the testing phase regarding notifications
practiced, of the total of those that were unsuccessful, just over 90% were unsuccessful
because the address was incorrect or the recipient was unknown. (Done
tested tenth)
2. The position held by the respondent both in its response to the evidence and
in the allegations to the initial agreement it is obviously the opposite.
First of all, regarding the infringement of the principle of accuracy, the claimed
has stated in its allegations that the RGPD has not introduced modifications or
in the enunciation of the principle nor in its consequences, in comparison with what
established by the Directive, therefore, it understands that through the initiation agreement the AEPD
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 157
157/184
has adopted a “ new criterion ” that violates the principles of legal certainty and
legitimate confidence. On this matter we limit ourselves to making a reference to what
set forth in the corresponding Legal Basis IV of this resolution.
The respondent asserts that the FIJ fully respects the principle of accuracy. That the
published data enjoy the presumption of accuracy recognized in article 4.2.d)
of the LOPDGDD, so it is not responsible for the inaccuracies of which
could suffer. It states that it has made available to those affected the
mechanisms to correct or delete inaccurate or incomplete data, respecting in
In any case, the requirements set forth in the LOPDGDD and the RGPD, such as providing the
documentation that proves the inaccuracy of a data whose deletion is requested. For
This means that there is no reversal of the burden of proof when the
claimants who request the deletion of their data from the FIJ provided by the
documents certifying the payment of the debt but only compliance with
the requirements set forth in current regulations (article 14 LOPDGDD)
Regarding the presumption of accuracy contemplated in article 4.2.d) LOPDGDD, it is necessary to
indicate that article 4 begins by referring in paragraph 1 to the principle of accuracy
of article 5.1.d) RGPD, which says, among other things, that the data must be
updated when necessary for the purposes of the treatment. There are situations in
which is absolutely necessary to check and even update
periodically the accuracy of the data due to the damage that could be caused by
interested if the data were inaccurate.
So the starting point is a situation in which the respondent seeks a
information that you know you cannot update, and this, despite being the update of the
information a requirement for the FIJ to fulfill its purpose. EQUIFAX knows
this fact perfectly and freely chooses to collect that information, so
She must assume the responsibility derived from the inaccuracy of the data that she treats.
On the other hand, regarding article 4.2.d) LOPDGDD, the presumption that invokes -if
applicable to the case, an extreme that is not shared- it could operate exclusively
Regarding the information that comes from the Public Bankruptcy Registry. In no case
of the official newspapers and gazettes that do not have the status of public registry.
Regarding the mechanisms that the respondent affirms that it makes available to the
affected to rectify or delete their data, it is enough to point out that it does nothing but
fulfill an obligation imposed by the GDPR. Chapter III " Rights of the interested party "
regulates these rights in articles 16 to 19 and article 14 LOPDGDD provides that,
when necessary, the affected party provides the documentation proving the inaccuracy.
In response to the question that was asked in the test phase about what was the
protocol you had had for the past six years to ensure that the data
personnel that incorporated the FIJ were duly updated, in all
At the moment, EQUIFAX responded that the protocol is based mainly on the
"Limitation of the sources from which the FIJ file is fed", the information that is
obtained from the Official Gazettes published by the State, the Communities
Autonomous and Provincial Councils . Which, in his opinion, guarantees that all
the information collected is considered " official and authentic" in accordance with the
Article 3.1 of Royal Decree 181/2008, of February 8, on the organization of the official gazette
State official newsletter. He considers this to be " a guarantee that there are no
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 158
158/184
doubts about the updating and veracity of the information incorporated into the FIJ. " Y
adds that “ the newsletters are downloaded the same day they are published, so the
FIJ information is updated on a daily basis with the information contained in the
Newsletters. "
Regarding the respondent's response, it should be noted that, indeed, the
Information published in the Notifications Supplement and in the BOE is guaranteed
of " authenticity" , that is, the guarantee that it actually comes from the authority
who signs the act or provision.
The respondent's comment that “ the FIJ information is updated accordingly.
daily with the information contained in the Bulletins ” is absolutely true
if by updating we mean "enriching". Indeed the FIJ is getting richer every day
with the new information you collect from the newsletters; but that has nothing to do with
the updating or updating of the annotations for debts that already appear in the
file linked to natural persons.
The respondent has also referred in her response to the questions formulated in the
test phase to the “ Automatic information capture processes: the downloading of
the bulletins and the subsequent registration of the data in the FIJ ” and says that it has
specific recording criteria implemented “in order to ensure that the headlines
are unequivocally identified for their inclusion in the FIJ, ” from which
concludes without more than " These criteria guarantee that there is only data from owners
duly identified ”.
It is not in doubt that the information regarding the personal data contained
in the newsletters and newspapers it is accurately transferred to the IJF. But, as more than enough
the respondent knows, that is not the question to which the violation of the principle refers
of exactitude so that, in this sense, his assertion that
" These criteria guarantee that there is only data of holders duly
identified "
The respondent referred in her response to a new measure implemented that, in its
opinion, would guarantee the accuracy and updating of the data: “4) Notification of
inclusion: this part has been making the holders whose data has been collected
from May 25, 2018, a specific notification of its inclusion in the FIJ,
as a measure to guarantee the updating of the data. Said communications
allow interested parties, in a free and simple way, to check whether
effectively the data that have been published by the different official gazettes and
that have been collected by my client contain some error. " Question to which
We will refer to another Legal Basis for the resolution.
3. In its allegations to the proposed resolution EQUIFAX places the starting point
of his argument in the necessary clarification of " what is the purpose of the FIJ", since
" Article 5.1.d) of the RGPD links" accuracy "with" the purposes for which they are processed "
the data". It then states that the " purpose of the FIJ" is "to reflect the existence of
a debt as stated in the advertisement and at the time of its publication in the source
corresponding official ”. (The underlining is ours)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 159
159/184
From the foregoing, it follows that the circumstance that the FIJ cannot show which is the
debt situation at the time of consultation does not allow rating the information
inaccurate in the terms provided in article 5.1.d) RGPD. It is not inaccurate, he says.
the one claimed - because it correctly collects the information that is necessary for the
purpose sought by the FIJ, "to help Equifax clients assess their solvency ."
Therefore, he clarifies, the information would be inaccurate if, " contrary to what the
file ” , will not correctly reflect the information that appears in the published announcement.
Conjecture that the AEPD, in order to qualify the contained data as inaccurate
in the FIJ, has proceeded in the resolution proposal, incorrectly, to associate the
" Assessment of the solvency of those affected" with information about the "situation
current "at the time of the consultation of the debt of the people."
It goes on to refer to the suitability of the information contained in the FIJ to assess the
creditworthiness of a person; suitability which, he affirms exhaustively, is out of all
doubts as has been confirmed for twenty-five years by the “ enormous number of
entities that have been resorting to the FIJ to assess solvency "He warns that a
judgment of suitability requires a thorough knowledge of the subject and that to what extent
know the AEPD is not an entity that carries out analysis in its day-to-day activities
solvency.
It states that the FIJ “ covers an undeniable need of the creditor market and the
fights against delinquency and fraud ”and then states: “ [...] it is clear that
The FIJ information constitutes a complement to the files referring to the
debts contracted with in the private sector [...]. It is obvious that "in an ideal world"
it would be preferable if the FIJ could be updated as completely as it happens
with the credit information systems of article 20 of the LOPDGDD.
Unfortunately, this is not possible since the Administrations do not publish
information in this regard, without such circumstance being considered in any
case as a case of "inaccuracy" of the information, for the reasons already stated. "
(The underlining is ours)
It also argues, as it had already done in the brief of allegations to the commencement agreement,
that article 4.2 d) LOPDGDD establishes a presumption of accuracy that cannot
be misrepresented “ by the result of the AEPD investigation, not even by the
provision of evidence by the interested party ”and“ contains an imperative mandate of
disclaimer to the person who has collected the data under their
content ”.
It indicates that this provision - 4.2.d) LOPDGDD- has to be connected with the
BOE regulatory regulation that “ establishes a presumption of veracity and
authenticity of the information contained therein, which guarantees the principle of
accuracy " and concludes that" the accuracy of the information referred to the notifications
incorporated into the FIJ [...] derives directly from said publication [in the BOE] and the
LOPDGDD ”.
Finally, invoke two more arguments: That until the repeal of the LOPD
EQUIFAX “was [...] protected by the express legal authorization contained in the
Article 29.1 LOPD and the action of the AEPD for which documentation was required
accrediting the payment so that it could proceed to its deletion ”. And, regarding the accuracy of
the identification data of the alleged debtors, affirms that "he accredited during the
trial period that only proceeds to the processing of those data regarding
of which it has sufficient means to guarantee the accuracy of the information
treated . "
It also affirms that, as a consequence of the entry into force of the LOPDGDD, it has
adopted measures so that only the data of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 160
160/184
stakeholders of which there are sufficient elements to guarantee their full
identification, which has been reflected in a decrease in the number of inclusions in
the file.
In view of what is alleged by the defendant, it seems sterile to discuss the novel
concept of accuracy of the data intended to inform about the solvency of the
affected. Even more so when the entity itself recognizes that “it would be preferable for the FIJ
could be updated as completely as it happens with the systems of
credit information of article 20 of the LOPDGDD. "
4.Article 5.2, in connection with 5.1.d) RGPD evidences that it is incumbent on the
responsible for the treatment the burden of proving the accuracy of the data that are the subject
of treatment ; For what is of interest here, EQUIFAX is responsible for proving the
accuracy of the debts included in the FIJ associated with exact personal data of
the presumed debtors.
The obligation imposed by article 5.2. RGPD implies that the person responsible for the
treatment must provide, during all the time in which the
data processing, mechanisms that guarantee that the information it deals with
-the debts that link to personal data- is at all times
updated.
The defendant completely lacks the means to fulfill this obligation. And before this
lack, aims to be recognized as a skillful instrument for compliance
of the obligation incumbent upon her, which is nothing but a requirement demanded by law
the owner of the data who exercises the rights granted by the RGPD. In short, the
claimed is intended to be valued as a means of fulfilling the obligation of
accuracy imposed by article 5.2 RGDP in relation to article 5.1.d), the
documentation that claimants must provide in order to prove the
inaccuracy of the data concerning them when they exercise before it the right to
rectification (article 14 RGPD).
On the other hand, the respondent is perfectly aware that it does not have
means to keep the information processed in the FIJ updated. Proof of this is
the text that we reproduce, from document 8 of which it sent in the phase
of evidence, called “LIA Judicial File. Legal Analysis. December 2019 ”, in which
point 7, “ Operation of Equifax files with information obtained from
sources of public access ”, a section is dedicated to the guarantees that
implement in the future regarding the principle of accuracy:
"1.4. Principle of accuracy ”“ In compliance with this principle and given that the
Edict publication only recognizes the existence of the obligation to satisfy the
owed, but there is no additional information that allows to know
effectively if that amount is owed at the time of notification of
inclusion, a possible solution to this problem would be the limitation of very
brief references to the aforementioned communications, and in the analyzed system this
This requirement is met, as the term is reduced to the publications that have occurred in the last
five months. However, this reduction does not allow us to fully bypass the
risk derived from the treatment of these data, being able to see the qualification of a
negatively interested by the fact of incorporating an edict notice
referred to a debt already paid in the same way that it could be affected
favorably the subject to whom a notification had been made with a
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 161
161/184
seniority of more than five months and had not proceeded to pay the amount
owed. " (The underlining is ours)
5. In accordance with the foregoing and the documentation in the file, the
considers that the respondent has violated the principle of accuracy provided in article
5.1.c) RGPD.
The violation of article 5.1.c) RGPD that is attributed to EQUIFAX is typified in the
Article 83.5. RGPD that states: “Violations of the following provisions are
sanctioned, in accordance with section 2, with administrative fines of 20,000,000
Eur maximum or, in the case of a company, an amount equivalent to 4%
at most of the total annual global turnover of the financial year
above, opting for the one with the highest amount:
b) The basic principles for the treatment, including the conditions for the
consent in accordance with articles 5,6,7 and 9. "
Article 72 of the LOPDGDD qualifies as very serious -being the statute of limitations,
in this case, three years - the infractions that suppose a substantial violation
of the articles mentioned in article 83.5 RGPD and in particular:
"A) The processing of personal data violating the principles and guarantees
established in Article 5 of Regulation (EU) 2016/679. "
VIII
Of the infringement of the principle of data minimization
The RGPD establishes in its article 5.1.c) that personal data will be “ adequate,
relevant and limited to what is necessary in relation to the purposes for which they are
treated (<< data minimization >>) "
Therefore, only data that is adequate, relevant and not
excessive in relation to the purpose for which they are obtained or processed . This implies, for one
part, that the categories of data selected for processing must be
necessary to achieve the objective of the treatment operations and that the person responsible
of the treatment must strictly limit the collection of data to that information
that is directly related to the specific purpose pursued by the treatment.
On the other hand, the GDPR requires that the data be relevant , which implies that the data
treaties are suitable and proportional to the legitimate aim pursued. Also, that the
personal data that is adequate and relevant, but constitutes interference
disproportionate in the fundamental rights and freedoms at stake, they must
considered excessive .
Compliance with this principle by the claimed, as happens with other
principles already examined, such as legality or accuracy, is conditioned by the
infringement of the principle of limitation of the purpose in which the entity incurs with the
collection of data from official newspapers and gazettes that pursue a
purpose incompatible with that of the FIJ.
As a result of the illegal nature of the subsequent processing of the data collected - that is, the one that
the claimed is carried out through the FIJ- it is shown that the person responsible for the
treatment is in a situation of practical impossibility of respecting the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 162
162/184
rest of the principles that according to the RGPD govern the treatment. Such is the degree of
irregularity that some of the actions with which EQUIFAX intends to comply with the
Obligations imposed by respect for the principles that govern the treatment are
become in practice an additional violation of the regulations for the protection of
data.
As a first point, it should be noted that, as has been shown when examining
other principles, particularly that of accuracy, the data that EQUIFAX obtains from
through bulletins and official journals that feed the FIJ are not suitable for the
purpose pursued by the file, so they violate the principle of minimization of
data. The fundamental reason is that they do not allow an update of the information
regarding the solvency of the debtor. It is added to the above that, while the
Publication of the data does not include the address of the owner of the data, the claimed does not
is in a position to comply with the information obligation provided for in the
Article 14 RGPD.
On the other hand, it is necessary to refer to Additional Provision 7 of the LOPDGDD that,
under the heading " Identification of those interested in notifications by means of
announcements and publications of administrative acts. " establishes:
"1. When the publication of an administrative act containing
personal data of the affected person, they will be identified by their name and
surnames, adding four random numerical figures from the national document of
identity, foreigner identity number, passport or equivalent document.
When the publication refers to a plurality of affected these random figures
they must alternate.
In the case of notification by means of advertisements, particularly in the
assumptions referred to in article 44 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations, it will be identified
to the affected exclusively through the complete number of his national document
Identity number, foreigner identity number, passport or equivalent document.
When the affected person lacks any of the documents mentioned in the
two previous paragraphs, the affected party will be identified solely by name and
surnames. In no case should the name and surname be published jointly
with the complete number of the national identity document, identity number of
foreigner, passport or equivalent document. "
In accordance with the transcribed provision, in the publications and notifications by
means of announcements provided for in articles 45 and 44 LPACP will never be published
address of the interested parties, nor jointly the name and surname and the number
complete identity document. In addition, in the case of notifications of
announcements of article 44 LPACAP, identification will be made by the full number of the
identity document, regardless of the reference to the name and surname except
that the owner lacks this information, in which case the name and surname will be included. And in
the publications of administrative acts that contain personal data will be included
the name and surname and four random figures of the identity document.
This legal provision seeks to minimize the impact caused on the right
fundamental to the protection of data of the administered derived from the publication
of your data in official newspapers or gazettes.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 163
163/184
EQUIFAX answered the question asked in the test phase regarding the criteria
that the FIJ uses to organize the personal data that are subject to treatment
in order that their holders are duly identified, (Done
tested sixth) in the following terms:
a) If only the NIF / NIE is published: then “it is verified whether on the date of
publication, the NIF / NIE in question, is registered in the active information
of the FIJ (excluding therefore the one that is blocked). Depending on the result
obtained, different actions are carried out : "
a´) If the identifier is already included in the FIJ associated with a name and surname,
registers in the FIJ the new published information.
a´´) If that identifier is not included in the FIJ, the recording of the registry is discarded .
b) In the event that the name and surname and incomplete NIF / CIF are published:
d skip the recording of the data in the FIX file
c) Cases in which name + surname + address is published: It proceeds
to the recording of the record in the FIJ file, associating both data.
d) Cases in which only name + surname appears published: In this
Of course, the recording of the data in the FIJ file is discarded .
(The underlining is ours)
Thus, despite the limitations that the data represent for the processing of data,
criteria set in the seventh Additional Provision of the LOPDGDD, the claimed is
supports the information that is active in the FIJ on the date of publication of the
information; combines both information and proceeds to register in its file the
new information published as long as the identifier - the only data that according to
The seventh Additional Provision of the LOPDGDD can be made public - already
included in the FIJ associated with a name and surname.
We believe that this conduct invalidates the measures provided by the legislator for
protect the right of the owners of the data that are published for reasons of
public interest in official gazettes and gazettes.
In the case that concerns us, it is proven that there are numerous claimants
that, after 12/07/2018, the date of entry into force of the LOPDGDD,
they have annotations in the FIJ. Which means that while the publication of the
The information did not contain their names and surnames but exclusively the NIF,
EQUIFAX, acting as explained, verified that this identifier was
active in its file and, in addition, associated with a name and surname, and proceeded to give
high the annotation. In this sense, it is proven that they were included in the FIJ, with
after 12/07/2018, annotations linked to the following claimants who
In the aforementioned file they are identified by their name, two surnames and NIF: the
numbers 2,6,7,9,13,14,15,21,32,43,48,49,58,59,71,74,79,82,83 and 89.
3. In its brief of allegations to the proposed resolution, the complained party states
that the statement made by the proposed resolution in relation to the infringement
of the principle of minimization of data that is imputed to him does not allow him to discern his
link with the aforementioned principle. It adds that “ nowhere in the Proposal is
indicates that the collection of data referring to the name, surname, document
identification, address and characteristics of the debt contracted are not adjusted to
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 164
164/184
the aforementioned purpose nor is a trial or assessment of any proportionality carried out
respect." It concludes that the aforementioned offense appears to have been included in the resolution
with “ a mere intention of increasing, [...] in a completely artificial way the
reproach directed against ” EQUIFAX.
It indicates that the reasoning of the AEPD in the proposed resolution leads to,
when it is considered that a certain treatment violates the principle of
limitation of the purpose (which the defendant denies) “ would also breach the
minimization principle, since more data would be processed from
those legally enforceable in the opinion of the Agency. This argument, by definition
it would be inadmissible, [...] "
Finally, it adds that, as a consequence of the entry into force of the LOPDGDD,
“ Has put into practice measures aimed at making the data processing result
adjusted to the principles of accuracy and minimization and that only the
treatment in the event that compliance with such principles is guaranteed, for
which is not enough to understand the effect that the entry into force of said provision
can lead to the alleged violation of the principle of minimization. "
4.In accordance with the foregoing and the documentation in the file, we estimate
that the behavior of the claimed violates the principle of minimization of data provided
in article 5.1.c) RGPD.
The infringement of article 5.1.c) RGPD is typified in article 83.5.a) RGPD that
establishes:
"Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a ) the basic principles for the treatment, including the conditions for the treatment
consent in accordance with articles 5, 6, 7 and 9; [...] "
On the other hand, for the purposes of prescription, the LOPDGDD qualifies in its article 72.1.
as a very serious offense "a) The processing of personal data violating the
principles and guarantees established in article 5 of Regulation (EU) 2016/679 ”.
IX
Of the infringement of the obligation imposed in article 14 RGPD
1. The RGPD dedicates chapter III to the rights of the interested parties (articles 12 to 23).
Article 14, under the heading "Information to be provided when the data
personal data have not been obtained from the interested party ”establishes the following:
"1. When the personal data have not been obtained from the interested party, the person in charge
of the treatment will provide you with the following information:
a) the identity and contact details of the person in charge and, where appropriate, of their
representative;
b) the contact details of the data protection officer, if applicable;
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 165
165/184
c) the purposes of the treatment to which the personal data are destined, as well as the basis
legal treatment;
d) the categories of personal data in question;
e) the recipients or categories of recipients of personal data, in their
case;
f) where appropriate, the intention of the person in charge of transferring personal data to a
recipient in a third country or international organization and the existence or absence
of an adequacy decision of the Commission, or, in the case of transfers
indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph,
reference to adequate or appropriate guarantees and means of obtaining a
a copy of them or the fact that they have been loaned.
2.In addition to the information mentioned in section 1, the person responsible for the
treatment will provide the interested party with the following information necessary to guarantee
a fair and transparent data processing with respect to the interested party:
a) the period during which the personal data will be kept or, when that is not
possible, the criteria used to determine this deadline;
b) when the treatment is based on article 6, paragraph 1, letter f), the interests
the data controller or a third party;
c) the existence of the right to request the data controller for access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of its treatment, and to oppose the treatment, as well as the right to portability
of the data;
d) when the processing is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
consent before its withdrawal;
e) the right to file a claim with a supervisory authority;
f) the source from which the personal data come and, where appropriate, if they come from
public access sources;
g) the existence of automated decisions, including profiling, to which
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences
provided for said treatment for the interested party.
3. The data controller will provide the information indicated in sections 1 and
two:
a) within a reasonable period of time, once the personal data has been obtained, and more
take within a month, taking into account the specific circumstances in which
said data is processed;
b) if the personal data are to be used for communication with the interested party, to
at the latest at the time of the first communication to said interested party, or
c) if it is planned to communicate them to another recipient, at the latest at the time
that the personal data are communicated for the first time.
4.When the person responsible for the treatment plans the subsequent treatment of the data
personal data for a purpose other than that for which they were obtained, will provide the
data subject, before said further processing, information on that other purpose and
any other relevant information indicated in section 2.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 166
166/184
5.The provisions of paragraphs 1 to 4 shall not apply when and to the extent
in what:
a) the interested party already has the information;
b) the communication of such information is impossible or involves an effort
disproportionate, in particular for processing for archival purposes in the interest
public, scientific or historical research purposes or statistical purposes, subject to
the conditions and guarantees indicated in article 89, paragraph 1, or to the extent
that the obligation mentioned in paragraph 1 of this article may
make it impossible or seriously impede the achievement of the objectives of such treatment. On
such cases, the person in charge will adopt adequate measures to protect the rights,
freedoms and legitimate interests of the interested party, including making public the
information;
c) the obtaining or the communication is expressly established by the Law of the
Union or Member States that applies to the controller and that
establish adequate measures to protect the legitimate interests of the data subject, or
d) when personal data must continue to be confidential about the
basis of an obligation of professional secrecy regulated by Union law or
of the Member States, including an obligation of secrecy of nature
statutory. "
Recital 39 also refers to the right of the interested parties to be informed
of the processing of your data, in the following terms:
“[...] For natural persons it must be totally clear that they are being collected,
using, consulting or otherwise processing personal data that
concern, as well as the extent to which said data is or will be processed. The beginning
transparency requires that all information and communication regarding the treatment of
such data is easily accessible and easy to understand, and that a language is used
simple and clear. This principle refers in particular to the information of the
interested parties about the identity of the person responsible for the treatment and the purposes of the same and
to the information added to ensure fair and transparent treatment with
regarding the affected natural persons and their right to obtain confirmation and
communication of personal data concerning them that are the subject of
treatment. [...] "
From the effective date of application of the RGPD (05/25/2018) the complainant was
obliged to inform, in the terms of article 14 RGPD, all interested parties
whose personal data were being processed through the FIJ in
that moment. This, because the new transparency regime introduced
by the RGPD affected all the treatments that were maintained on that date, with
regardless of the regime in force when the data were collected, as
established a norm or criterion of the Administrative Litigation Chamber of the
National audience.
Obligation, on the other hand, was well known to all those responsible for
treatments that during the two years prior to the effective application of the RGPD
were preparing the adaptation to the new legislation of the treatments of
personal data that they carried out.
It seems obvious that EQUIFAX did not comply with the obligation imposed by article 14
RGPD to notify the owners of the data that on that date were in the FIJ.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 167
167/184
It is enough to compare the figures provided: in 2018 the people whose data
were subject to treatment by the FIJ exceeded four million and, nevertheless, the
The number of notifications made that year did not reach three hundred and forty thousand. On
In this sense, there is already an infringement of article 14 RGPD in relation to the
article 5.1.a) RGPD.
On the other hand, there is no doubt that EQUIFAX is obliged to inform the
interested in the terms of article 14 RGPD each time they incorporate their
personal information.
In line with this obligation, we must reiterate what has already been stated regarding the
violation of other provisions of the RGPD. In the behavior analyzed we start from
an illicit treatment of personal data, inasmuch as data that were
initially treated for a purpose that is incompatible with the purpose that
pursues further treatment, that is, the FIJ, which conditions, as it could not be
otherwise, compliance with the obligations that the RGPD imposes on the
responsible for the treatment to the point that these are impossible
compliance if it is not in violation of other provisions of the RGPD.
As EQUIFAX has repeatedly recognized, the information that the FIJ collects
it comes basically from official newspapers and gazettes. It has already been indicated that, as a result
of the entry into force of the LOPDGDD and the application of the 7th Additional Provision,
The data of the address of the administered whose personal data are
subject to publication in accordance with articles 44 and 45 LPACAP.
It is, therefore, that EQUIFAX having the obligation to inform the interested parties
whose data is included in the file completely lacks the possibility of complying
Regarding new registrations, such obligation, to the extent that the announcements
published will not provide you with the address information that allows you to inform you in the
terms indicated in article 14 RGPD. A circumstance that is obviously not
it prevents the violation of article 14 RGPD to be appreciated, particularly with respect to
to the annotations that on the date of entry into force of the RGPD already appeared in the
FIJ, but to highlight, once again, the absolute irregularity of the FIJ.
2. EQUIFAX has stated in its allegations to the start-up agreement that “it comes
making to the holders whose data has been collected since May 25,
2018, a specific notification of its inclusion in the FIJ, as a measure to
guarantee the updating of the data. These communications allow the
interested parties, in a free and simple way, check whether the data
that have been published by the different official gazettes and that have been collected
by my representative they contain some error. "
As indicated, the notification you announce will not be possible, at least with
the only information offered by the newspapers and bulletins in which the data is published.
Regarding this new measure that the claimed one announces to us, we must clarify
that we are not facing a proactive action of the entity, as it has
declared, but before an obligation imposed by the RGPD. On the other hand, it is reiterated that
already indicated about the impossibility of practicing this informative notification to the
interested in lacking the address information and that the attempt to link the number
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 168
168/184
identification of an interested party that is published in an official newspaper with the information that
It is recorded in the FIJ, so the address information is of interest here, it constitutes your
Once a violation of the principle of data minimization.
Finally, the repeated comment of the entity on the
non-existence of an obligation to inform the owner of the data being processed
as established in article 5 of the LOPD. The respondent has stated that there was
an express endorsement from the National High Court that the
fulfillment of such obligation because its action is included in the
Article 29.1 LOPD and has cited for this purpose the SSAN of 06/29/2001 (Rec. 1012/1999);
11/29/2001 (Rec. 531/2000) and of 02/27/2008 (Rec. 358/2006) However, the aforementioned
judgments seem to show that the regime to which it refers is connected with the
prevailing criterion at that time that a treatment of data that had been
obtained from public sources defined by article 3.j LOPD was lawful
in accordance with article 6.2 LOPD. Therefore, we understand that after the publication of the
so many times cited judgments of the CJEU and the Supreme Court there was no reason for EQUIFAX
did not comply with the obligation established in article 5 of the LOPD.
3. In its allegations to the proposed resolution, regarding this infraction, the
claimed analyzes three different scenarios.
(i) The regime prior to the entry into force of the LOPDGDD, in which, it affirms, it is
waived the obligation to inform interested parties of the processing of their data
personal activities carried out at the FIJ, as confirmed by a “very reiterated
jurisprudence ”that determined that as of the SAN of 02/27/2008 the AEPD did not
issue any sanctioning resolution for breach of the obligation to
notify.
(ii) The existing regime during the validity of the LOPD, as of the date on which the
dictates the judgment of the CJEU of 11/24/2011. He considers that the situation was identical to the
above and that it was the motion for a resolution that " creates ex novo " a line
argumentation that understands that the previous criterion was modified from the aforementioned
STJUE. In the opinion of the complainant, the proposal eliminates “ the possibility of founding the base
of the FIJ in the provision of article 29.1 LOPD ”. Therefore, it requires that the
exclusion from the duty to inform did not derive from the nature of the sources
obtained the information, but from article 29.1, in relation to 29.4 and in relation to
article 5.5. LOPD.
(iii) The system after the effective application of the RGPD, in which EQUIFAX has
considered " necessary to comply with the duty to inform." After which, add
that, “ although he could have considered that the causes that exonerated him from said
obligation under the LOPD that, do not forget, remained in force until 7
December 2018, they continued to protect him. " This commitment made as a result of the
effective application of the RGPD has materialized in the “ notification to all
interested in the inclusion of their data in the FIJ ", which constitutes a" commitment
additional entity with the guarantee of the right to data protection ”.
The respondent affirms that the proposal considers that “ this duty of information is not
has complied with the data included in the FIJ prior to entry into
validity of the LOPDGDD, that is, when there was a rule that excluded the duty of
information." It also states that after the entry into force of the LOPDGDD
could distinguish “ two types of data” : (i) Those introduced prior to the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 169
169/184
entry into force of the RGPD, with respect to which it says that “[...] the principle of
minimization and the cited interpretation of Article 11 excluded the possibility of obtaining
additional information with the sole protection of complying with the duty to inform ”. TO
purpose of article 11 RGPD indicates that it is possible to interpret by analogy, in what
affects the processing of data additional to those required for compliance with the
purpose of the treatment, the provisions of that precept, according to which “[s] i the purposes for
which a controller processes personal data do not require or no longer require the
identification of an interested party by the person in charge, this will not be obliged to maintain,
obtain or process additional information with a view to identifying the interested party with the only
purpose of complying with these Regulations ”. Therefore, consider that it could be concluded
that, if the purposes of the treatment do not justify the processing of additional data, no
could hide behind GDPR compliance to collect such data.
(ii) Those incorporated into the FIJ after said entry into force, with respect to the
that Equifax chose, compared to the other entities in the sector, to comply with the
Article 14, proceeding to notify all interested parties of the incorporation of their
data to FIJ.
The entity concludes that it has fully complied with the duty of information regarding
all those treatments carried out since the entry into force of the RGPD, therefore,
"Under the previous regulations (LOPD) it was exempt from compliance with this obligation."
and after “ the entry into force of the RGPD, it was applicable to these treatments
provided in article 14.5 a) of the RGPD, since the information is impossible or requires
disproportionate efforts, something that the Proposal itself explicitly recognizes. "
The respondent affirms that the proposal considers that “this duty of information is not
has complied with the data included in the FIJ prior to entry into
validity of the LOPDGDD, that is, when there was a rule that excluded the duty of
information." However, what the proposal says is that once it went into effect
the GDPR, the obligation imposed by article 14 GDPR should be fulfilled in
relationship with the data previously included in the FIJ, whose treatment is
kept. Forget the claimed that the RGPD, once it is effectively applied,
It is applicable in its entirety and that, therefore, EQUIFAX had the obligation from
that date of informing in the terms of article 14 RGPD to the owners of the data
whose treatment continued to be carried out through the FIJ, even though the data was
would have been included in the file under the validity of other regulations. It must be remembered,
in addition, that the conduct referred to as constituting an infraction of the
The principle of data minimization is what the entity claims to carry out, as a result of the
entry into force of the LOPDGDD, since in accordance with the additional provision
seventh, the notifications announcements do not include the address information: a crossing of
data between the information that already works in the FIJ, in which, as it is inferred from
manifested, the address information is included, with which it is published in the advertisements
inserted in official gazettes and gazettes.
Therefore, compared to what EQUIFAX argues, it was not exempt from the obligation to
notify the holders of the data that were still in the FIJ on the date of application
of the GDPR. Nor can he be excused from complying with this obligation on the basis of
apply article 11 RGPD or on the pretext of avoiding breaching the principle of
data minimization, because with respect to the data already included in the FIJ, there is no
no data crossover. And the breach is patent. It is enough to compare the
number of people who were included in the FIJ on the date of application of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 170
170/184
RGPD and the number of notifications that in that year and in the following years
EQUIFAX.
4. Article 14 RGPD imposes on the respondent an obligation to inform the
interested parties when the processed data had not been collected from them, which is
consequence of the principle of transparency that governs data processing
personal in accordance with article 5.1.a) RGPD.
It is a proven fact that EQUIFAX did not notify the interested parties whose data
had been dealing with the FIJ as a result of the effective application of the RGPD, the
05/25/2018, this, despite the fact that the interested parties were never informed of the treatment
to which your personal data were submitted under an interpretation of the LOPD
that the National Court had made before the judgments of the CJEU of
11/24/2011 and TS of 02/25/2012.
With regard to the complainants, it is found, as already indicated, that
there are numerous inclusions after the date of entry into force of the
LOPDGDD. In all cases, these are interested parties of which there were inclusions
previous in the FIJ. However, not all of them appear in the FIJ, among the data that
they are concerned, the address data.
4. Based on the foregoing and the documentation in the file, we estimate
that the conduct of the defendant violates the obligation imposed by article 14
RGPD, in relation to article 5.1.a) RGPD.
The infringement of article 14 RGPD is typified in article 83.5 RGPD that
establishes:
"Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
to) [...]
b) the rights of the interested parties in accordance with articles 12 to 22; "
For the purposes of prescription, the LOPDGDD qualifies in its article 72.1. as an offense
very serious “h) The omission of the duty to inform the affected person about the treatment of
your personal data in accordance with the provisions of articles 13 and 14 of the Regulation
(EU) 2016/679 and 12 of this organic law ”.
X
The defendant revealed in her brief of allegations the non-existent
link between the claims made by the claimants and the object of the
sanctioning procedure directed against her. It affects that sense in which
Claims made are exclusively about the exercise of rights
that the RGPD recognizes in articles 16 to 22 and that furthermore this
The entity attended, in most cases, the request made by the
affected. For this reason, consider that this extreme, the non-existent link between the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 171
171/184
claims made and the stated object of the procedure, would oblige the file
of the procedure.
Apart from the fact that in some of the claims the claimants refer to
expressly that the inclusion of their data in the FIJ (case of claimants 35,
39, 46 or 55) this allegation must be rejected, since the facts stated
manifested in the claims are closely linked to the object of the
process. In addition, from the examination of said claims, it appears that the action
of the responsible entity transcends the claims submitted.
The RGPD has established its own and specific regime regarding
procedures before the control authorities regarding data protection. The
Chapter VIII of the RGPD is entitled " Resources, responsibility and sanctions ", and the
first of the articles of said Chapter VIII, article 77, establishes the right to
file a claim with a supervisory authority. Art. 77.1: “Without prejudice to
any other administrative resource or legal action, all interested parties will have the right
to file a claim with a supervisory authority, in particular in the State
member in which you have your habitual residence, place of work or place of
alleged infringement, if you consider that the processing of personal data that
concern violates these Regulations. " In turn the art. 79 GDPR establishes that
“ [S] without prejudice to the administrative or extrajudicial remedies available, including the
right to file a claim with a supervisory authority under the
Article 77, all interested parties shall have the right to effective judicial protection when
consider that your rights under this Regulation have been violated
as a result of a processing of your personal data. "
We therefore see that a "claim" from a private individual can give rise to two types
of procedures, one of them related to infringements of the RGPD, with a character
general, and another for violation of their rights.
In the LOPDGDD this distinction has been reflected in Title VIII, which regulates
jointly the procedures in case of possible violation of the regulations of
Data Protection. Thus, its art. 63.1, Legal regime, includes (a) procedures
in case of infringement of the RGPD and the LOPDGDD itself and (b) those derived from a
possible violation of the rights of the interested parties. The LOPDGDD does not foresee any
additional type of procedure in case of possible violation of the regulations of
data protection, so that all the functions and powers that the RGPD
granted to the control authorities in arts. 57 and 58 RGPD must be exercised at
through these procedures in case of possible violation of the regulations of
Data Protection. There are no others.
It follows from this, also taking into account art. 64 LOPDGDD, which
when the procedure is directed exclusively to the lack of attention of a request
of the rights articles 15 to 22 RGPD a claim will be necessary, but that
(art. 64.2 LOPDGDD) [w] hen the purpose of the procedure is to determine the
the possible existence of an infringement of the provisions of Regulation (EU)
2016/679 and in this organic law, it will start by means of an initiation agreement
adopted on its own initiative or as a consequence of a claim. That is, both the
RGPD like the LOPDGDD consider that a claim from an affected person can be
the way or means of bringing to the attention of the supervisory authority a possible
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 172
172/184
infringement of data protection regulations, but in no case restricts the
action of the control authority to the specific and concrete complaint of those affected.
And this for many reasons, among which stands out, as may be the case in the
present procedure, that from the confluence of several claims of persons
affected individuals, an action of the person in charge that with
general character (that is, not only in the specific cases presented by the
claimants) from which it turns out that these specific cases are the reflection of a pattern
or common policy applied to all those affected persons who are in the same
case that the interested parties.
The opposite would be inconsistent with the purpose and will of the community legislator,
expressly set forth in the RGPD that the control authorities control and
enforce the RGPD, and with the provisions of the RGPD that they can
I manifest "infringements" of the data protection regulations through
"Claims" that may transcend the individual claims themselves
formulated.
Consequently, the AEPD has decided to analyze the impact of the treatments that
are carried out, resulting in that the deficiencies noted with respect to the regulations of
data protection has a general scope, so that all
the holders of the personal data registered in it, and not only the
claimants, which would result, as has been stated, that the infringement is not
It produces exclusively with respect to these, but with a general character.
It cannot be said, therefore, that there is no link between the object of the
procedure and claims.
In any case, no rule prevents the body that exercises the power
sanctioning, when it determines the opening of a sanctioning procedure,
always ex officio (art. 63.1 law 39/2015, of October 1), determine its scope
according to the circumstances revealed, even if they do not adjust
strictly to the statements and claims of the complainant. That is, the
agreement to initiate the sanctioning procedure is not constrained by the complaint
(the "claim") submitted by the individual. This is not the case in the case of
procedures processed at the request of the interested party, in which article 88.2 of the
LPACAP requires that the resolution be consistent with the requests made by
this. Even in this case, the authority of the Administration to initiate
ex officio a new procedure.
This same article 88 of the LPACAP, referring to the content of the resolution, in its
paragraph 1 establishes the obligation to decide all the questions raised by the
interested parties and those others that derive from the procedure, including questions
related not raised by the interested parties. This article expressly establishes what
following:
"1. The resolution that puts an end to the procedure will decide all the questions
raised by the interested parties and those others derived from it.
In the case of related questions that have not been raised by the
interested parties, the competent body may rule on them, putting it
before manifesting them for a period not exceeding fifteen days, so that
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 173
173/184
formulate the allegations they deem pertinent and provide, where appropriate, the means
test".
In the sanctioning procedure, even the facts that are
revealed during their instruction, which will be determined in the
resolution proposal, and may motivate the modification of the imputations
contained in the agreement to initiate the procedure or its legal classification.
In this sense, when referring to the specialties of the resolution in the
sanctioning procedures, article 90 of the LPACAP establishes:
"two. In the resolution, events other than those determined in the
course of the procedure, regardless of its different legal assessment… ”.
XI
Of the medial infraction contest
Article 29.5 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRSP) provides:
"When the commission of an offense necessarily derives from the commission of another or
others, only the sanction corresponding to the most infringement must be imposed.
serious committed ”.
In the opinion of this Agency, as set out in the preceding Fundamentals, the
EQUIFAX's conduct in relation to the data processing carried out through the
FIJ, constitutes an infringement of articles 5.1.b) RGPD; 6.1, in relation to
article 5.1.a GDPR; 5.1.d) GDPR; 5.1.c) RGPD and 14 of the RGPD.
The analyzed assumption offers unusual profiles. Based on an initial violation of the
RGPD, the violation of the principle of limitation of the purpose provided for in article
5.1.b) RGPD, the conducts in which the remaining infractions of the
Regulations for which the entity is responsible are presented as a
necessary consequence of the first, undoubtedly the most serious offense.
Although the five infractions attributed to EQUIFAX are very serious infractions with
according to the LOPDGDD and all of them are typified in article 83.5. of the GDPR, the
The most serious offense committed is the violation of the principle of limitation of
purpose to the extent that it has led, in this specific case, in light of the
particular characteristics of the events analyzed, to which the claimed
incur in the remaining four violations of the RGPD for which you are responsible.
Taking into consideration the connection between the five infractions of the
GDPR committed by EQUIFAX in relation to the FIJ and the extraordinary uniqueness
of the case, in which the most serious offense, the violation of the principle of limitation of
the purpose provided for in article 5.1.b), entails the commission of the remaining four
infractions, this Agency considers that in the specific case that concerns us,
taking into account its particularities, there is a medial contest between the
infringement of article 5.1.b) RGPD, on the one hand, and infringements of articles
6.1, in relation to 5.1.a; 5.1.d), 5.1.c) and 14 of the RGPD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 174
174/184
XII
Of the sanctions and corrective measures imposed on the claimed
1. The powers that the RGPD attributes to the control authorities are detailed in the
Article 58, paragraph 2 of which refers, in particular, to the so-called powers
"Corrective". The precept establishes:
“ Each supervisory authority shall have all the following corrective powers
listed below:
(...)
f) impose a temporary or definitive limitation of the treatment, including its prohibition;
g) order the rectification or deletion of personal data or the limitation of the
treatment in accordance with articles 16, 17 and 18 and the notification of said measures to
the recipients to whom personal data has been communicated in accordance with the
article 17, paragraph 2, and article 19;
(...)
i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;
(...) "
2. The respondent stated in her allegations to the initial agreement her total disagreement
with the corrective measures and fines that appeared in the agreement to open the
file indicating that the imposition of a sanction in the amount established in the aforementioned
The agreement would imply that the company would exit the market “for the benefit of other
competing companies that handle the same information ” . Draws attention to
the fact that the AEPD has decided "to adopt the most serious measures
provided for in the data protection regulations ”when the RGPD offers
control authorities a wide range of corrective measures (Article 58) and that the
Article 83 RGPD expressly provides, in the event of a regulatory breach, the
possibility of not imposing an administrative fine and sanctioning with some other the
corrective measures of article 58 RGPD.
In his allegations to the motion for a resolution, he again affects the nature of
disproportionate amount of the proposed administrative fines and requests that
the following extenuating circumstances that reflect a qualified reduction of your guilt in
the processing of your data in the FIJ:
That it has been implementing, since the approval of the RGPD and the LOPDGDD, different
measures aimed at further minimizing the impact of data processing
carried out by the FIJ could produce in the private sphere of the interested parties. What
has never received any sanction from this AEPD in relation to the treatment carried out
carried out by the FIJ. That Equifax has repeatedly responded to any requirement or
request for information related to the FIJ and the lack of negligence or culpability,
as indicated in section 3 of this claim (article 83.2 b) of the
GDPR).
Circumstances to be rejected.
3. In the present case, it is deemed appropriate, considering the circumstances that
concur, impose on the claimed the corrective measures described in the sections
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 175
175/184
f) and g) of article 58.2 RGPD. This, without prejudice to the administrative fines provided
in letter i) of the precept, in accordance with the provisions of article 83.5 RGPD.
As stated in Recital 129 of the RGPD, “ In particular, any measure must be
adequate, necessary and proportionate in order to ensure compliance with the
these Regulations, taking into account the circumstances of each specific case ... "
Regarding the reasons that justify the adoption of these measures, we must point out that,
As has been accredited in the resolution, EQUIFAX incorporates the FIJ file, to
through which it pursues, primarily, a purpose linked to the evaluation of the
solvency of natural persons, information with personal data of the
managed that you get from notification announcements and event postings
administrative that are the subject of publication in official gazettes and newspapers for
fulfill a purpose related to the public interest. The purpose pursued by the FIJ is
different and incompatible with the one that justifies the treatment carried out by the
Public Administrations, so that any subsequent treatment of the data with
the purpose pursued by the FIJ violates the RGPD. The data processing that the FIJ
effect violates the principle of purpose limitation (article 5.1.b, RGPD). Starting
hence, it incurs an infringement of the principle of legality (article 6.1 in relation to the
5.1.a). It is added to the foregoing that, the information contained in the
FIJ to report on the solvency, the claimed does not have mechanisms to
update and keep this information up-to-date or to undoubtedly identify the
alleged debtors. To carry out this treatment, the FIJ violates other principles
of the RGPD that is obliged to respect, such as the accuracy and minimization of
data (articles 5.1.d, and 5.1.c) and, the person in charge of the treatment is not in conditions
(for not having the information regarding the address of all the holders whose
data are subject to treatment) to fulfill obligations that constitute a right
essential of those affected to guarantee the transparency of the treatment (article 14
GDPR).
These infringements of the RGPD respond to the IJF modus operandi and are not
specific violations of current regulations related exclusively to the
claimants of this file.
The mechanics of the file's operation are incompatible with respect for the RGPD.
These are the reasons that advise adopting the only measures that can
guarantee compliance with the regulations governing the fundamental right that
This Agency must protect and restore all natural persons who are suffering the
Illicit treatment of your personal data through the FIJ in the full disposition of the
fundamental right that the Constitution recognizes in article 18.4.
Therefore, in accordance with article 58.2 RGPD, it is agreed to adopt the following
corrective measures:
(i)
In accordance with its section f) definitively prohibit EQUIFAX from
continue with the processing of personal data that you carry out through
of the FIJ, given that the treatment is incompatible with the
GDPR compliance.
(ii)
In accordance with its section g) order the person in charge of the FIJ to proceed to
the deletion of all personal data that are subject to treatment
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 176
176/184
in the aforementioned file related to alleged debts, in accordance with the
provided for in article 17.1.d) of the RGPD.
The corrective measure consisting of definitively prohibiting EQUIFAX from following
carrying out the data processing carried out through the FIJ is provided
to the situation of non-compliance with current and necessary regulations. Also
It is necessary to delete all the personal data of those affected because
being the treatment carried out illicit only in this way can it be restored to people
affected by that treatment in the enjoyment of their fundamental right.
4. Administrative fines.
In order to determine the amount of administrative fines that should be imposed
for each one of the infractions of the RGPD for which EQUIFAX is held responsible,
You must comply with the provisions of articles 83.1 and 83.2 of the RGPD that establish,
respectively:
" Each control authority will guarantee that the imposition of administrative fines
in accordance with this article for infringements of this Regulation
indicated in sections 4, 9 and 6 are in each individual case effective,
proportionate and dissuasive. "
" Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute title for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to
mitigate the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or the person in charge of the treatment,
taking into account the technical or organizational measures that have been applied by virtue of
of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement, in
particular if the person in charge or the person in charge notified the infraction and, in such case, in what
measure;
i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures;
j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or
indirectly, through the offense. "
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 177
177/184
In relation to section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
" Sanctions and corrective measures ", provides:
"2 . In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:
a) The continuing nature of the offense.
b) The linking of the activity of the offender with the performance of treatment of
personal information.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have induced the commission
of the offense.
e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a data protection officer.
h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "
Violations of the RGPD for which EQUIFAX is responsible in this agreement
start are typified in article 83.5., a precept that sets the maximum amount of the
penalty to be imposed in 20,000,000 euros or, in the case of a company, a
amount equivalent to a maximum of 4% of the total global annual turnover
of the previous financial year, opting for the highest amount. "
Determination of modifying circumstances of responsibility:
4.1. Violation of article 5.1.b) RGPD:
The concurrence as aggravating factors of the following factors that
reveal greater unlawfulness and / or culpability in the conduct of the respondent.
1.-The circumstance described in article 83.2.a) RGPD, which assesses the seriousness of the
infringement taking into account the " scope or purpose" of the processing operation.
We are not facing an isolated offending behavior or the result of a specific irregularity.
It is a perfectly articulated modus operandi outside the law that
Taking advantage of official publications containing personal data, it seeks
obtain an economic benefit by providing a service to third parties related to the
information on the solvency of those affected. The scope of this operation
treatment transcends affected claimants and extends to all people
whose data would have been included in official publications in the past or that may
be included in the future. We are facing a structured business on the
non-compliance with the regulations that guarantee the fundamental right recognized in the
Article 18.4 of the EC On the other hand, the data of those affected are called to
communicate to third parties, despite the fact that their treatment clearly violates the RGPD. The
The extent of harm that may result from this treatment is unpredictable.
2.-The circumstance described in article 83.2.b) RGPD that values ​​“ the intentionality
or negligence of the infringement ”. The respondent has not been unaware that her conduct involves
a violation of the GDPR. We are facing a very serious lack of diligence in
EQUIFAX that, despite being aware at all times that its performance
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 178
178/184
violated a fundamental right of the affected people has maintained the
data processing carried out through the FIJ.
3.- The circumstance described in article 83.2.a) RGPD regarding the number of
stakeholders affected. The claims that have led to the opening of this
disciplinary proceedings affect 96 people. However, the
disproportionate number of people potentially affected by the performance of
EQUIFAX that violates the RGPD, according to the information provided exceeds four
million affected.
4.- The circumstance described in article 83.2.a) RGPD regarding damages
suffered by those affected. It is valued for this purpose that, according to the established doctrine
by the AN, Administrative Litigation Chamber, the inclusion of a person in a
financial solvency file has obvious adverse consequences for
affected.
5.- The circumstance described in article 76.2.b) LOPDGDD in relation to the
article 83.2.k) RGPD: The total and absolute link between business activity
that EQUIFAX develops through the FIJ and the processing of personal data.
6.- The circumstance described in article 76.2.c) LOPDGDD in relation to the
article 83.2.k) RGPD. The benefits obtained as a result of the commission of
the offense.
In view of the circumstances that concur, it is estimated that the amount of the fine
administrative authority that must be imposed for the violation of article 5.1.b) RGPD is a
million euros (€ 1,000,000).
Likewise, pursuant to article 58.2.f) of the RGPD, the prohibition that
continue the processing of personal data that you carry out through the File of
Judicial Claims and Public Organizations (FIJ) of which it is the owner.
In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data
personal that are subject to treatment through the FIJ associated with alleged
debts and that were obtained by the defendant from the publication of
notification inserted in the Single Edictal Board of the Official State Gazette, of
bulletins and official journals or the electronic headquarters of agencies and entities of
Public Law
4.2. Violation of article 6.1, in relation to 5.1.a) RGPD:
The concurrence, as aggravating factors, of the following factors that
reveal a greater unlawfulness and / or culpability in the conduct of the defendant in
the terms that are detailed for the violation of article 5.1.b) RGPD.
1.-The circumstance described in article 83.2.a) RGPD.
2.-The circumstance described in article 83.2.b) RGPD.
3.- The circumstance described in article 83.2.a) RGPD regarding the number of
stakeholders affected.
4.- The circumstance described in article 83.2.a) RGPD regarding damages
suffered by those affected.
5.- The circumstance described in article 76.2.b) LOPDGDD in relation to the
article 83.2.k) RGPD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 179
179/184
6.- The circumstance described in article 76.2.c) LOPDGDD in relation to the
article 83.2.k) RGPD. The benefits obtained.
In view of the circumstances that concur, carefully assessed, it is estimated
that, unlike the provisions of the proposed resolution, the amount of the fine
administrative procedure that should be imposed for the violation of article 6.1, in relation to the
5.1.a) RGPD is one million euros (€ 1,000,000).
Likewise, pursuant to article 58.2.f) of the RGPD, the prohibition that
continue the processing of personal data that you carry out through the File of
Judicial Claims and Public Organizations (FIJ) of which it is the owner.
In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data
personal that are subject to treatment through the FIJ associated with alleged
debts and that were obtained by the defendant from the publication of
notification inserted in the Single Edictal Board of the Official State Gazette, of
bulletins and official journals or the electronic headquarters of agencies and entities of
Public Law.
4.3. Violation of article 5.1.d) RGPD:
The concurrence, as aggravating factors, of the following factors that
reveal greater unlawfulness and / or culpability in the conduct of the respondent,
all of them in the terms that are detailed for the violation of article 5.1.b) RGPD.
1.-The circumstance described in article 83.2.a) RGPD.
2.-The circumstance described in article 83.2.b) RGPD.
3.- The circumstance described in article 83.2.a) RGPD regarding the number of
stakeholders affected.
4.- The circumstance described in article 83.2.a) RGPD regarding damages
suffered by those affected.
5.- The circumstance described in article 76.2.b) LOPDGDD in relation to the
article 83.2.k) RGPD.
6.- The circumstance described in article 76.2.c) LOPDGDD in relation to the
article 83.2.k) RGPD. The benefits obtained.
In view of the circumstances that concur, carefully assessed, it is estimated
that, unlike the provisions of the proposed resolution, the amount of the fine
administrative authority that must be imposed for the violation of article 5.1.d) RGPD is a
million euros (€ 1,000,000).
Likewise, pursuant to article 58.2.f) of the RGPD, the prohibition that
continue the processing of personal data that you carry out through the File of
Judicial Claims and Public Organizations (FIJ) of which it is the owner.
In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data
personal that are subject to treatment through the FIJ associated with alleged
debts and that were obtained by the defendant from the publication of
notification inserted in the Single Edictal Board of the Official State Gazette, of
bulletins and official journals or the electronic headquarters of agencies and entities of
Public Law.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 180
180/184
4.4. Violation of article 5.1.c) RGPD
The concurrence, as aggravating factors, of the following factors that
reveal greater unlawfulness and / or culpability in the conduct of the respondent,
all of them in the terms that are detailed for the violation of article 5.1.b) RGPD.
1.-The circumstance described in article 83.2.a) RGPD.
2.-The circumstance described in article 83.2.b) RGPD.
3.- The circumstance described in article 83.2.a) RGPD regarding the number of
stakeholders affected.
4.- The circumstance described in article 83.2.a) RGPD regarding damages
suffered by those affected.
5.- The circumstance described in article 76.2.b) LOPDGDD in relation to the
article 83.2.k) RGPD.
6.- The circumstance described in article 76.2.c) LOPDGDD in relation to the
article 83.2.k) RGPD. The benefits obtained.
In view of the circumstances that concur, it is estimated that the amount of the fine
administrative authority that must be imposed for the violation of article 5.1.c) RGPD is a
million euros (€ 1,000,000).
4.5. Infringement of article 14 GDPR
The concurrence, as aggravating factors, of the following factors that
reveal greater unlawfulness and / or culpability in the conduct of the respondent,
all of them in the terms that are detailed for the violation of article 5.1.b) RGPD.
1.-The circumstance described in article 83.2.a) RGPD.
2.-The circumstance described in article 83.2.b) RGPD.
3.- The circumstance described in article 83.2.a) RGPD regarding the number of
stakeholders affected.
4.- The circumstance described in article 83.2.a) RGPD regarding damages
suffered by those affected.
5.- The circumstance described in article 76.2.b) LOPDGDD in relation to the
article 83.2.k) RGPD.
6.- The circumstance described in article 76.2.c) LOPDGDD in relation to the
article 83.2.k) RGPD. The benefits obtained.
In view of the circumstances that concur, it is estimated that the amount of the fine
administrative procedure that should be imposed for the violation of article 14 RGPD is of a
million euros (€ 1,000,000).
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 181
181/184
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency,
RESOLVES:
FIRST: IMPOSE EQUIFAX IBÉRICA, SL , with NIF B80855398 , for a
infringement of Article 5.1.b) of the RGPD, typified in Article 83.5 of the RGPD, in
media contest, in accordance with the provisions of article 29.5 of Law 40/2015, with the
infractions of articles 6.1., in relation to article 5.1.a) RGPD; 5.1.d)
GDPR; 5.1.c) RGPD and 14 of the RGPD, the following sanctions:
Pursuant to article 58.2.i) of the RGPD, an administrative fine of one million euros
(€ 1,000,000).
Pursuant to article 58.2.f) of the RGPD, the prohibition to continue the treatment of
the personal data that you carry out through the File of Judicial Claims and
Public bodies (FIJ) of which it is the owner.
In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data
personal that are subject to treatment through the FIJ associated with alleged
debts and that were obtained by the defendant from the publication of
notification inserted in the Single Edictal Board of the Official State Gazette, of
bulletins and official journals or the electronic headquarters of agencies and entities of
Public Law.
SECOND: NOTIFY this resolution to EQUIFAX IBÉRICA, SL .
THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the Agency
Spanish for Data Protection in the banking entity CAIXABANK, SA. In case
Otherwise, it will be collected in the executive period.
Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
it will be until the 5th of the second following or immediate business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 182
182/184
Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred to Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency is not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection
ANNEX I
Claimants are identified by a number. This Annex provides the
personal data - name, surname and NIF- of each claimant and the reference of the
File opened by the AEPD to each one of the presented claims.
Complainant 1: E / 104/2020, (…).
Claimant 2: E / 59/2020, (…).
Claimant 3: E / 36/2019, (…).
Claimant 4: E / 727/2020, (…).
Claimant 5: E / 728/2020, (…).
Claimant 6: E / 736/2020 , (…) Represented by Inzertia Consultores Financieros,
SL, CIF B87960472.
Claimant 7: E / 743/2020, (…).
Claimant 8: E / 745/2020, (…).
Claimant 9: E / 954/2020 , (…) , Represented by Inzertia Consultores Financieros,
SL
Claimant 10: E / 957/2020 , (…) . Represented by Inzertia Consultores Financieros,
SL
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 183
183/184
Claimant 11: E / 1206/2020, (…). Represented by Inzertia Consultores Financieros,
SL
Claimant 12: E / 1207/2020, (…). Represented by Inzertia Consultores
Financieros, SL
Claimant 13: E / 1209/2020, (…).
Represented by Inzertia Consultores
Financieros, SL
Claimant 14: E / 1210/2020, (…). Represented by Inzertia Consultores
Financieros, SL
Claimant 15: E / 1211/2020. (…). Represented by Inzertia Consultores Financieros,
SL
Claimant 16: E / 1262/2020, (…). Represented by Inzertia Consultores
Financieros, SL
Claimant 17: E / 3321/2019, (…).
Claimant 18: E / 3633/2019, (…).
Claimant 19 : E / 3912/2019, (…).
Claimant 20: E / 4367/2019, (…).
Claimant 21: E / 2021/2020, (…) , represented by (…).
Claimant 22: E / 2031/2020, (…).
Claimant 23: E / 2035/2020, (…), represented by INZERTIA Consultores
Financieros, SL
Claimant 24: E / 2038/2020, (…), represented by Inzertia Consultores Financieros,
SL
Claimant 25: E / 04391/2019, (…).
Claimant 26: E / 04392/2019, (…)
Claimant 27: E / 04839/2019, (…).
Claimant 28: E / 04967/2019, (…).
Claimant 29: E / 04978/2019, (…).
Claimant 30: E / 04992/2019, (…).
Claimant 31: E / 05109/2019 , (…).
Claimant 32: E / 05447/2019, (…) .
Claimant 33: E / 05471/2019, (…)
Claimant 34: E / 06161/2019, (…).
Claimant 35: E / 06172/2019, (…) .
Claimant 36: E / 06174/2019, (…)
Claimant 37: E / 06186/2019, (…).
Claimant 38: E / 06187/2019, (…)
Complainant 39: E / 06848/2019, (…) .
Claimant 40: E / 06852/2019, (…)
Claimant 41: E / 06853/2019, (…) .
Claimant 42: E / 07145/2019, (…)
Complainant 43: E / 11624/2019, (…) .
Claimant 44: E / 11629/2019, (…) .
Claimant 45: E / 11638/2019, (…) .
Claimant 46: E / 2047/2020, (…) . Represented by Inzertia Consultores
Financieros, SL
Claimant 47: E / 2048/2020, (…). Represented by Inzertia Consultores
Financieros, SL
Claimant 48: E / 2050/2020, (…).
Claimant 49: E / 7159/2019, (…) .
Claimant 50: E / 07162/2019. (…)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 184
184/184
Claimant 51: E / 07823/2019. (…) .
Claimant 52: E / 07825/2019. (…).
Complainant 53: E / 08006/2019. (…)
Claimant 54: E / 08008/2019. (…).
Claimant 55: E / 08668/2019. (…). Represented by (…)
Claimant 56: E / 09912/2019. (…).
Claimant 57: E / 10232/2019. (…).
Claimant 58: E / 10236/2019 (…).
Claimant 59: E / 10367/2019. (…)
Claimant 60: E / 10997/2019 and E / 03977/2020. (…).
Claimant 61: E / 11032/2019. (…)
Claimant 62: E / 11619/2019. (…)
Claimant 63: E / 11623/2019. (…)
Claimant 64: E / 03261/2020. (…). Represented by INZERTIA.
Claimant 65: E / 03262/2020. (…)
Claimant 66: E / 03265/2020 (…). Represented by INZERTIA.
Claimant 67: E / 03267/2020 (…)
Claimant 68: E / 03257/2020. (…). Represented by INZERTIA.
Claimant 69: E / 03269/2020. (…). Represented by INZERTIA.
Claimant 70: E / 03272/2020. (…). Represented by INZERTIA.
Claimant 71: E / 03274/2020. (…). Represented by INZERTIA.
Claimant 72: E / 03279/2020 . (…).
Complainant 73: E / 03283/2020. (…).
Complainant 74: E / 03349/2020. (…) . Represented by INZERTIA.
Claimant 75: E / 03550/2020. (…).
Claimant 76: E / 03516/2020. (…).
Claimant 77: E / 03517/2020. (…).
Claimant 78: E / 03547/2020 . (…).
Claimant 79: E / 03617/2020. (…) . Represented by INZERTIA.
Complainant 80 E / 01366/2019. (…)
Claimant 81: E / 03604/2020. (…) . Represented by INZERTIA.
Complainant 82: E / 03610/2020. (…) . Represented by INZERTIA.
Complainant 83: E / 03613/2020. (…). Represented by INZERTIA
Complainant 84: E / 03618/2020. (…) .
Claimant 85: E / 03649/2020. (…) .
Claimant 86: E / 03729/2020. (…). Represented by (…).
Claimant 87: E / 03888/2020. (…)
Claimant 88: E / 03852/2020. (…).
Complainant 89: E / 04760/2020. (…). Represented by (…) .
Claimant 90: E / 05250/2020. (…)
Claimant 91: E / 05048/2020. (…)
Claimant 92: E / 05045/2020. (…).
Complainant 93: E / 05254/2020. (…).
Claimant 94: E / 04999/2020. (…).
Claimant 95: E / 5454/2019. (…)
Claimant 96: E / 5459/2019. (…).
Claimant 97: E / 9910/2019. (…).
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es