AEPD (Spain) - EXP202205104: Difference between revisions
No edit summary |
m (Ar moved page AEPD (Spain) - PS/00586/2022 to AEPD (Spain) - EXP202205104) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 63: | Line 63: | ||
}} | }} | ||
The Spanish DPA held that the | The Spanish DPA held that the registration of a data subject in a common credit information system was unlawful as the debt was neither 'certain, nor due or payable'. It fined the controller €50,000. | ||
== English Summary == | == English Summary == | ||
Line 75: | Line 75: | ||
The Spanish DPA concluded that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]]. | The Spanish DPA concluded that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]]. | ||
According to the DPA, when notifying the credit information system about a debt that is neither 'certain, nor due or payable', as required by [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Article 20(1) LOPDGDD], the controller cannot rely on the presumption of legitimate interest established by this provision | According to the DPA, when notifying the credit information system about a debt that is neither 'certain, nor due or payable', as required by [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Article 20(1) LOPDGDD], the controller cannot rely on the presumption of legitimate interest established by this provision. | ||
Therefore, the DPA considered that the data processing lacked a legal basis and fined the controlle €50,000 for the violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. | Therefore, the DPA considered that the data processing lacked a legal basis and fined the controlle €50,000 for the violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. |
Latest revision as of 13:27, 13 December 2023
AEPD - PS/00586/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 20 LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | 04.04.2022 |
Decided: | 17.05.2023 |
Published: | 17.05.2023 |
Fine: | 50,000 EUR |
Parties: | Fusiona Soluciones Energéticas, S.A. |
National Case Number/Name: | PS/00586/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Mgrd |
The Spanish DPA held that the registration of a data subject in a common credit information system was unlawful as the debt was neither 'certain, nor due or payable'. It fined the controller €50,000.
English Summary
Facts
The company Fusiona Soluciones Energéticas, the controler, filed a lawsuit against the data subject due to an alleged debt. In the judgment , a Spanish Court of First Instance dismissed the claim and declared that the data subject had no debt with the controller. Although the decision was final, the controller included the data subject's data in the 'common credit information system' associating them with the alleged debt.
The data subject then filed a complaint with the Spanish DPA, which initiated disciplinary proceedings against the controller.
Holding
The Spanish DPA concluded that the controller violated Article 6(1) GDPR.
According to the DPA, when notifying the credit information system about a debt that is neither 'certain, nor due or payable', as required by Article 20(1) LOPDGDD, the controller cannot rely on the presumption of legitimate interest established by this provision.
Therefore, the DPA considered that the data processing lacked a legal basis and fined the controlle €50,000 for the violation of Article 6(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
File No.: EXP202205104 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: D.A.A.A. (hereinafter, the claiming party) dated April 4, 2022 filed a claim with the Spanish Data Protection Agency. The The claim is directed against Fusiona Soluciones Energéticas, S.A. with NIF A85818797 (hereinafter, the claimed party). The reasons on which the claim is based are the following: The complaining party states that their personal data was registered in systems common forms of credit information in relation to a debt associated with a contract which he did not do Along with the claim, the following relevant documentation is provided: Judgment of the Court of First Instance number X of ***LOCATION.1, dated November 29, 2021, Verbal Trial XXX/2020, in which ruling dismissed fully the claim filed by Fusiona Soluciones Energéticas, S.A, against the complaining party, absolving the affected party of all claims against him. Oral Proceeding Order XXX/2020, dated January 14, 2022, in whose agreement the firmness of said resolution is declared. ASNEF report on the inclusion of the personal data of the complaining party to instances of the claimed party, on March 22, 2022. Registration date March 28, June 2019. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), said claim was transferred to the claimed party, for to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP) by electronic notification, was not collected by the person in charge, within the period of availability, understood as rejected in accordance with the provisions of art. 43.2 of the LPACAP dated May 15, 2022, as stated in the certificate that is in the file. Subsequently, the transfer was carried out in accordance with the rules established in the LPACAP by certified postal mail, was returned due to absence on June 6 of 2022. No response has been received to this letter of transfer. THIRD: In accordance with article 65 of the LOPDGDD, when the before the Spanish Data Protection Agency (hereinafter, AEPD) a claim, it must evaluate its admissibility for processing, and must notify the complaining party the decision on the admission or inadmissibility of processing, within the period of three months from the date the claim was received by this Agency. yes, elapsed this period, if said notification does not take place, it will be understood that the processing of the claim in accordance with the provisions of Title VIII of the Law. Said provision is also applicable to the procedures that the AEPD would have to process in exercise of the powers attributed to it by other laws. In this case, taking into account the foregoing and that the claim is filed with this Agency, on April 4, 2022, it is communicated that your The claim has been admitted for processing, on July 4, 2022, after three months since it entered the AEPD. FOURTH: On January 17, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate disciplinary proceedings against the claimed party, for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notification of the Commencement Agreement, through the postal service on the 18th of January 2023, stating that the postal notification "has been returned to origin by unknown" on January 27, 2023, and for this reason it was sent to the Single Edictal Board of the BOE, being published on February 1, 2023. Subsequently, the Single Authorized Electronic Address (DEHÚ) service certifies: “date of acceptance by the claimed party on February 9, 2023”. There is no record that the claimed party has submitted a written statement of allegations to the same. Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations (hereinafter LPACAP) -provision of which the party claimed was informed in the agreement to open the procedure establishes that if allegations are not made within the period provided for the content of the initiation agreement, when it contains a precise pronouncement about the imputed responsibility, may be considered a resolution proposal. In it present case, the agreement to initiate the sanctioning file determined the facts in which the accusation was specified, the infringement of the GDPR attributed to the claimed and the sanction that could be imposed. Therefore, taking into consideration that the claimed party has not made allegations to the agreement to start the file and In accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement of beginning is considered in the present case resolution proposal. In view of all the proceedings, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts: PROVEN FACTS FIRST: The claimed party included the personal data of the claiming party in common credit information systems in relation to a debt associated with a contract that I do not perform. SECOND: It appears in the report issued by Equifax dated March 22, 2022, the following operations in the Asnef file: Reporting Entity: Fusiona Soluciones Energéticas, S.A. Registration date: 06/28/2019 Name: A.A.A. THIRD: In the Judgment of the Court of First Instance number X of ***LOCATION.1, dated November 29, 2021, Verbal Trial XXX/2020, was confirms in its ruling that the claim made by Fusiona Soluciones Energéticas, S.A, against the claimant, acquitting the affected by all claims against him. In the Verbal Trial Ordinance Diligence XXX/2020, dated January 14, 2022, it is agreed to declare the firmness of said resolution. FUNDAMENTALS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II breached obligation The claimed party is accused of committing an infringement for violation of Article 6.1 of the GDPR, due to lack of legitimacy in the treatment. Article 6 of the GDPR, under the heading "Lawfulness of processing", details in its section 1 the cases in which data processing is considered lawful: "1. Processing will only be lawful if it meets at least one of the following conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect vital interests of the data subject or of another Physical person; e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person in charge of the treatment or by a third party, provided that on said interests do not outweigh the interests or fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions.” In parallel, the LOPDGDD, in its article 20, under the rubric of "Systems of credit information” provides: "1. Unless proven otherwise, the processing of personal data will be presumed lawful. related to the breach of monetary, financial or credit obligations by common credit information systems when the following are met requirements: a) That the data has been provided by the creditor or by someone acting on their behalf or interest. b) That the data refer to certain, overdue and payable debts, whose existence or amount had not been subject to an administrative or judicial claim by the debtor or through a binding alternative dispute resolution procedure between the parts. c) That the creditor has informed the affected party in the contract or at the time of require payment about the possibility of inclusion in said systems, with indication of those in which it participates. The entity that maintains the credit information system with data related to the breach of monetary, financial or credit obligations must notify the affected by the inclusion of such data and will inform you about the possibility of exercising the rights established in articles 15 to 22 of Regulation (EU) 2016/679 within of the thirty days following the notification of the debt to the system, remaining data blocked during that period. d) That the data is only kept in the system while the breach persists, with a maximum limit of five years from the expiration date of the monetary, financial or credit obligation. e) That the data referring to a specific debtor can only be consulted when the person consulting the system maintained a contractual relationship with the affected party that implies the payment of a pecuniary amount or this would have requested the conclusion of a contract that involves financing, deferred payment or periodic billing, as happens, among other cases, in those provided for in the legislation on consumer credit contracts and real estate credit contracts. When the right to limitation of processing has been exercised before the system of the data challenging its accuracy in accordance with the provisions of article 18.1.a) of the Regulation (EU) 2016/679, the system will inform those who could consult it with accordance with the previous paragraph about the mere existence of said circumstance, without provide the specific data with respect to which the right had been exercised, in both are resolved on the request of the affected party. f) That, in the event that the request for the conclusion of the contract is denied, or it will not be held, as a result of the consultation carried out, whoever has Once the system has been consulted, inform the affected party of the result of said consultation. 2. The entities that maintain the system and the creditors, regarding the treatment of the data referring to their debtors, will have the status of co-responsible for the data processing, being applicable the provisions of article 26 of the Regulation (EU) 2016/679. It will correspond to the creditor to guarantee that the requirements demanded for the inclusion in the debt system, answering for its non-existence or inaccuracy. 3. The presumption referred to in section 1 of this article does not cover the cases in which the credit information was associated by the entity that The system maintains additional information to those contemplated in said section, related to the debtor and obtained from other sources, in order to carry out carry out a profiling of the same, in particular through the application of techniques of credit rating.” II Classification and classification of the offense The infringement for which the party claimed in this agreement is held responsible of initiation is typified in article 83 of the GDPR which, under the rubric “General conditions for the imposition of administrative fines”, states: "5. Violations of the following provisions will be penalized, in accordance with the section 2, with administrative fines of a maximum of 20,000,000 Eur or, in the case of of a company, of an amount equivalent to a maximum of 4% of the volume of overall annual total business of the previous financial year, opting for the one with the highest amount: a) The basic principles for the treatment, including the conditions for the consent in accordance with articles 5,6,7 and 9.” The LOPDGDD, for the purposes of the prescription of the infringement, qualifies in its article 72.1. very serious infringement, in this case the limitation period is three years, "b) The processing of personal data without the fulfillment of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679.” The documentation in the file shows that the party claimed violated article 6.1 of the GDPR. The conduct of the claimed party contrary to the principle of legality has consisted of notify a credit information system (the ASNEF file) of a debt that, with respect to the alleged debtor, the claimant, was not true, nor expired nor enforceable, as requires article 20.1 of the LOPDGDD for the presumption to apply "iuris tantum" of prevalence of the legitimate interest of the person in charge, without accrediting the existence of such legitimate interest or the legally required weighting. The treatment illegal use of the claimant's data, materialized in the inclusion in a file of solvency without legal basis, began on June 28, 2019, the date of registration of the debt in the mentioned file. The claimant has provided a ruling from the Court of First Instance number X of ***LOCATION.1 Verbal Trial XXX/2020 Judgment: 00XXX/2021 before the party claimed, as well as a report of inclusion in the Asnef system dated March 22 of 2022 in which your personal data is registered by the entity claimed, with discharge date June 28, 2019. As Recital 40 of the GDPR clearly states “..For the treatment to be lawful, personal data must be processed with the consent of the interested party or on some other legitimate basis established in accordance with the Law, either in the this Regulation or by virtue of another Law of the Union or of the States Member States referred to in this Regulation, including the need to comply with the legal obligation applicable to the data controller or the need to execute a contract in which the interested party is a party or in order to take measures at the request of the interested party prior to the conclusion of a contract.” IV. Sanction In order to establish the administrative fine that should be imposed, the following provisions contained in articles 83.1 and 83.2 of the GDPR, which state: "1. Each control authority will guarantee that the imposition of fines administrative proceedings under this article for violations of this Regulations indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or in lieu of the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case shall be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infraction; c) any measure taken by the controller or processor to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the potential adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what extent; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through infringement. In relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in its article 76, "Sanctions and corrective measures" establishes that: "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of data processing. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have led to the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the violation, which cannot be attributed to the absorbing entity. f) The affectation of the rights of minors. g) Have, when it is not mandatory, a data protection delegate. h) Submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between those and any interested party.” In accordance with the precepts transcribed, for the purpose of setting the amount of the sanction of fine to be imposed in the present case for the infraction typified in article 83.5.a) of the GDPR for which the claimed party is held responsible, are considered concurrent the following aggravating factors: - The evident link between the business activity of the defendant and the treatment of personal data of clients or third parties (article 83.2.k, of the GDPR in relation to article 76.2.b, of the LOPDGDD). The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which, with respect to entities whose activity entails the continuous processing of customer data, indicates that "...the Supreme Court has understood that recklessness exists whenever a legal duty of care is neglected, that is that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to the professionalism or not of the subject, and there is no doubt that, in the case now examined, when the appellant's activity is constant and abundant handling of personal data must insist on rigor and exquisite Be careful to comply with the legal provisions in this regard.” The balance of the circumstances contemplated in article 83.2 of the GDPR, with regarding the offense committed by violating the provisions of article 6.1 of the GDPR allows a penalty of 50,000 euros (fifty thousand euros) to be set. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE FUSIONA SOLUCIONES ENERGÉTICAS, S.A., with NIF A85818797, for a violation of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR, a fine of 50,000 euros (fifty thousand euros). SECOND: NOTIFY this resolution to FUSIONA SOLUCIONES ENERGÉTICAS, S.A. THIRD: Warn the penalized person that they must make the imposed sanction effective Once this resolution is enforceable, in accordance with the provisions of Article art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of its income, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A. Otherwise, it will proceed to its collection in executive period. Once the notification has been received and once executed, if the execution date is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following or immediately following business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of one month from count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the appeal contentious-administrative proceedings within a period of two months from the day following the Notification of this resolution would terminate the precautionary suspension. Mar Spain Marti Director of the Spanish Data Protection Agency