AEPD (Spain) - PS/00241/2022: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by one other user not shown)
Line 61: Line 61:
}}
}}


AEPD fines Ibercaja €100.000 for opening a bank account in the name of a minor during an inheritance process without having obtained the specific and unambiguous consent of the mother, in breach of [[Article 6 GDPR#1|Article 6(1) GDPR]].
AEPD fined Ibercaja - a bank - €100.000 for opening an account in the name of a minor during an inheritance process without having obtained the specific and unambiguous consent of the mother, in breach of [[Article 6 GDPR#1|Article 6(1) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A woman provided her personal data and the personal data of her children to the Spanish bank Ibercaja with the intention of obtaining balances of a deceased person and initiating an inheritance process. Subsequently, she filed a complaint with the AEPD claiming that, during the process, Ibercaja shared these data with the lawyer of the other co-heirs and with a life insurance company. She also claimed that the bank opened an account in the name of her minor child for the deposit of inheritance funds without her knowledge. When asked to provide a proof of prior consent, the bank confirmed that there was no authorisation but alleged that the account was inactive and that is was necessary for the distribution and adjudication of the deceased's assets. It highlighted that these assets were in its custody and that the mother requested the processing of the deceased's will.
A woman provided her personal data and the personal data of her child (data subject) to the Spanish bank Ibercaja (data controller) with the intention of obtaining balances of a deceased person and initiating an inheritance process. During the process, the controller opened an account in the name of the minor data subject to transfer part of the funds that the deceased person had in the bank. Upon learning about the bank account, the mother filed a complaint with the AEPD claiming that the controller did not ask for her consent.  The controller confirmed that there was no authorisation but alleged that the account was inactive and that is was necessary for the distribution and adjudication of the deceased's assets requested by the mother.


=== Holding ===
=== Holding ===
The AEPD stated that the bank account do not necessarily have to opened in the same bank as the one of the deceased person, but rather in any other financial institution of the heirs' choice. The DPA emphasised that, although the account was not active, the mere  insertion of the minors' personal data into the bank's information systems was illegal since it was not authorized by their legal representative.  
The AEPD considered that the opening of the account by the controller was not necessary for the performance of the service requested by the mother, as she she could choose to open it in any other financial institution. The DPA pointed out the mother's request to initiate the inheritance procedure does not imply per se that the bank can use the child's data for other purpose such as opening a bank account. It emphasised that, although the account was not active, the mere  insertion of the data subject's personal data into the bank's information systems was illegal since it was not authorized by their legal representative.  


With regard to the argument that the mother requested  the processing of the deceased's will, the DPA pointed out that this does not imply per se that the bank can use all the data in its possession for any purpose. It recalled that the GDPR requires controllers to obtain informed and unambiguous consent for each of the purposes of the personal data processing. Thus, the fact that the claimant provided her personal data with the intention of obtaining the bank balances does not allow it to process these data for other purposes, such as the creation of a bank account in the name of one of her minor children.
It recalled that the GDPR requires controllers to obtain informed and unambiguous consent for each of the purposes of the personal data processing. Thus, the fact that the claimant provided her personal data with the intention of obtaining the bank balances does not allow it to process these data for other purposes, such as the creation of a bank account in the name of one of her minor children.


On this basis, the AEPD found a violation of [[Article 6 GDPR|Article 6 GDPR]] and fined Ibercaja €100.000. However, it considered that the transfer of data to unauthorised third parties was not proven.
On this basis, the AEPD found a violation of [[Article 6 GDPR|Article 6 GDPR]] and fined Ibercaja €100.000.


== Comment ==
== Comment ==

Latest revision as of 11:14, 23 March 2023

AEPD - PS/00241/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 09.03.2021
Decided:
Published:
Fine: 100.000 EUR
Parties: Ibercaja
National Case Number/Name: PS/00241/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Bernardo Armentano

AEPD fined Ibercaja - a bank - €100.000 for opening an account in the name of a minor during an inheritance process without having obtained the specific and unambiguous consent of the mother, in breach of Article 6(1) GDPR.

English Summary

Facts

A woman provided her personal data and the personal data of her child (data subject) to the Spanish bank Ibercaja (data controller) with the intention of obtaining balances of a deceased person and initiating an inheritance process. During the process, the controller opened an account in the name of the minor data subject to transfer part of the funds that the deceased person had in the bank. Upon learning about the bank account, the mother filed a complaint with the AEPD claiming that the controller did not ask for her consent. The controller confirmed that there was no authorisation but alleged that the account was inactive and that is was necessary for the distribution and adjudication of the deceased's assets requested by the mother.

Holding

The AEPD considered that the opening of the account by the controller was not necessary for the performance of the service requested by the mother, as she she could choose to open it in any other financial institution. The DPA pointed out the mother's request to initiate the inheritance procedure does not imply per se that the bank can use the child's data for other purpose such as opening a bank account. It emphasised that, although the account was not active, the mere insertion of the data subject's personal data into the bank's information systems was illegal since it was not authorized by their legal representative.

It recalled that the GDPR requires controllers to obtain informed and unambiguous consent for each of the purposes of the personal data processing. Thus, the fact that the claimant provided her personal data with the intention of obtaining the bank balances does not allow it to process these data for other purposes, such as the creation of a bank account in the name of one of her minor children.

On this basis, the AEPD found a violation of Article 6 GDPR and fined Ibercaja €100.000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.