AEPD (Spain) - PS/00331/2022: Difference between revisions

From GDPRhub
No edit summary
 
(8 intermediate revisions by 3 users not shown)
Line 67: Line 67:
}}
}}


The Spanish DPA did not accept anti-money laundering verification obligations as an excuse for forcing a data subject to provide their banking information via unencrypted emails.  
The DPA did not accept anti-money laundering verification obligations as an excuse for forcing a data subject to provide details on the origin of their money through unencrypted emails, resulting in a €2,500,000 fine on the controller.  


== English Summary ==
== English Summary ==
Line 74: Line 74:
On 5 August 2021, the data subject filed a complaint with the Bavarian Data Protection Authority against Open bank (the controller).  
On 5 August 2021, the data subject filed a complaint with the Bavarian Data Protection Authority against Open bank (the controller).  


The data subject complained that the controller had requested proof of origin for several amounts of money in their bank account. This was so that the contrrollre could comply with anti-money laundering regulations.  
The data subject complained that the controller had requested proof of origin for several amounts of money in their bank account. This was so that the controller could comply with anti-money laundering regulations.  


The claimant was not provided with a mechanism to securely provide this information besides unencrypted mail. Despite expressing concerns about the data protection risks, the data subject was not offered an alternative to provide such information.
The claimant was not provided with a mechanism to securely provide this information besides unencrypted mail. Despite expressing concerns about the data protection risks, the data subject was not offered an alternative to provide such information.
Line 81: Line 81:
The Spanish DPA was competent to act as the lead supervisory authority as the controller has its registered office and main establishment in Spain.  
The Spanish DPA was competent to act as the lead supervisory authority as the controller has its registered office and main establishment in Spain.  


The DPA found that the controller violated [[Article 25 GDPR|Article 25 GDPR]] by failing to include the processing of personal data for anti-money laundering verifications in its data protection impact assessment at the time of the incident. This omission led to a lack of appropriate technical and organizational measures to uphold data protection principles and comply with GDPR requirements, thus failing to protect data subject rights. Despite having a policy in place allowing information to be sent via postal mail or in person at bank offices, the communication effectively sent to clients did not specify these options. The AEPD emphasized that having protocols or templates alone is insufficient for compliance with data protection by design and default principles.
The DPA found that the controller violated [[Article 25 GDPR|Article 25 GDPR]].  


Furthermore, the AEPD noted OPENBANK's failure to implement corrective measures after the data subject's expressed concerns. OPENBANK did not implement remedial actions until over a year later.
First, the controller had an incomplete data protection impact assesment (DPIA). While they had made a DPIA about their general processing. it did not include the processing of personal data in the context of anti-money laundering verifications. This omission led to a lack of appropriate technical and organizational measures to uphold data protection principles and comply with GDPR requirements.  


Moreover, the AEPD stated that simply carrying out the obligatory Data Protection Impact Assessment as mandated by Article 32.4 Spanish or 32 bis.4 of Law 10/2010, of 28 April, on the prevention of money laundering and terrorism financing (LPBCFT), is insufficient to fulfil the requirements of privacy by design outlined in Article 25 of the GDPR. This is because [[Article 25 GDPR|Article 25 GDPR]] obligations go beyond merely adhering to the data protection regulations specified in the LPBCFT, emphasizing that data protection by design entails more than just performing an impact assessment.
Second, the DPA emphasised that having protocols or templates alone is insufficient for compliance with data protection by design and default principles. Simply carrying out the obligatory Data Protection Impact Assessment as mandated by Article 32(4) GDPR (and also 32 bis.4 of Law 10/2010, of 28 April, on the prevention of money laundering and terrorism financing (LPBCFT)), is insufficient to fulfil the requirements of privacy by design outlined in Article 25 GDPR. This is because [[Article 25 GDPR]] obligations go beyond merely adhering to the data protection regulations specified in the LPBCFT, emphasizing that data protection by design entails more than just performing an impact assessment. For example, to comply with Article 25 GDPR, the controller should have designed protocols that communicated to clients that that information could have also been sent via postal mail or in person at bank offices. Instead, the communication sent to clients only specified that they could send information via unencrypted e-mails. The controller should have also implemented measures after the data subject's expressed concerns. The controller did not implement remedial actions until over a year later.  


Additionally, the AEPD held that OPENBANK infringed [[Article 32 GDPR|Article 32 GDPR]], since it did not offer a secure mean to provide the documentation and the documentation was sent without the appropriate security measures. AEPD stated that standard e-mail cannot be considered an appropriate means to guarantee a level of security adequate to the risk in the sending of documentation containing personal data of those provided under Chapter II of the LPBCFT which require special protection.
The DPA also held that the controller infringed [[Article 32 GDPR]].


As a result of these infringements, the AEPD imposed a total fine of €2,500,000 on OPENBANK: €1,500,000 for violating Article 25 and €1,000,000 for violating Article 32 of the GDPR.
First, the controller did not offer a secure mean to provide the documentation and the documentation was sent without the appropriate security measures. The DPA stated that a standard e-mail cannot be considered an appropriate means to guarantee a level of security adequate to the risk in the sending of documentation containing personal financial data.
 
As a result of these infringements, the AEPD imposed a total fine of €2,500,000 on the controller. €1,500,000 for violating Article 25 GDPR and €1,000,000 for violating Article 32 GDPR.


== Comment ==
== Comment ==

Latest revision as of 13:54, 28 February 2024

AEPD - PS/00331/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 25 GDPR
Article 32 GDPR
32 bis 4 Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo
32.4 Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo
Type: Complaint
Outcome: Upheld
Started: 05.08.2021
Decided:
Published: 28.07.2023
Fine: 2,500,000 BGN
Parties: OPEN BANK, S.A.
National Case Number/Name: PS/00331/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Teresa López

The DPA did not accept anti-money laundering verification obligations as an excuse for forcing a data subject to provide details on the origin of their money through unencrypted emails, resulting in a €2,500,000 fine on the controller.

English Summary

Facts

On 5 August 2021, the data subject filed a complaint with the Bavarian Data Protection Authority against Open bank (the controller).

The data subject complained that the controller had requested proof of origin for several amounts of money in their bank account. This was so that the controller could comply with anti-money laundering regulations.

The claimant was not provided with a mechanism to securely provide this information besides unencrypted mail. Despite expressing concerns about the data protection risks, the data subject was not offered an alternative to provide such information.

Holding

The Spanish DPA was competent to act as the lead supervisory authority as the controller has its registered office and main establishment in Spain.

The DPA found that the controller violated Article 25 GDPR.

First, the controller had an incomplete data protection impact assesment (DPIA). While they had made a DPIA about their general processing. it did not include the processing of personal data in the context of anti-money laundering verifications. This omission led to a lack of appropriate technical and organizational measures to uphold data protection principles and comply with GDPR requirements.

Second, the DPA emphasised that having protocols or templates alone is insufficient for compliance with data protection by design and default principles. Simply carrying out the obligatory Data Protection Impact Assessment as mandated by Article 32(4) GDPR (and also 32 bis.4 of Law 10/2010, of 28 April, on the prevention of money laundering and terrorism financing (LPBCFT)), is insufficient to fulfil the requirements of privacy by design outlined in Article 25 GDPR. This is because Article 25 GDPR obligations go beyond merely adhering to the data protection regulations specified in the LPBCFT, emphasizing that data protection by design entails more than just performing an impact assessment. For example, to comply with Article 25 GDPR, the controller should have designed protocols that communicated to clients that that information could have also been sent via postal mail or in person at bank offices. Instead, the communication sent to clients only specified that they could send information via unencrypted e-mails. The controller should have also implemented measures after the data subject's expressed concerns. The controller did not implement remedial actions until over a year later.

The DPA also held that the controller infringed Article 32 GDPR.

First, the controller did not offer a secure mean to provide the documentation and the documentation was sent without the appropriate security measures. The DPA stated that a standard e-mail cannot be considered an appropriate means to guarantee a level of security adequate to the risk in the sending of documentation containing personal financial data.

As a result of these infringements, the AEPD imposed a total fine of €2,500,000 on the controller. €1,500,000 for violating Article 25 GDPR and €1,000,000 for violating Article 32 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/77










     File No.: EXP202101565

IMI Reference: A56ID 318964 - A60DD 432357 - Case Register 321773


                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based

to the following

                                  BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) filed a claim, dated

August 5, 2021, before the Bavarian data protection authority (Bavarian
Lander Office for Data Protection Supervision). The claim is directed against OPEN
BANK, S.A. with NIF A-28021079 (hereinafter, OPENBANK). The reasons on which it is based
The claim are as follows:

The OPENBANK banking entity has asked the complaining party to prove the origin

of various amounts received in your bank account, in compliance with regulations
against money laundering. However, no mechanism has been offered
to provide this information encrypted or by direct upload to the web portal. The
The only valid option has been sending by e-mail.


Along with the notification, the following is provided:

- Copy of email sent from the address ***EMAIL.1 to ***EMAIL.2 (hereinafter,
email of the complaining party) dated July 7, 2021. In this email, it is required
to the complaining party to provide the necessary documentation to prove which is

the origin of the funds from three deposits made by the claiming party, in
compliance with anti-money laundering and anti-fraud legislation
terrorist financing; and it is indicated that, in the event of not receiving this
documentation within a period of 15 days, OPENBANK must block the execution of
new payments into your account in accordance with current regulations.


- Copy of email sent from the email of the complaining party to ***EMAIL.1 of
date July 10, 2021. In this email the complaining party indicates that it contributes under
protest the documentation corresponding to the year 2019 through an email
unencrypted email because, as he indicated in a telephone conversation, he does not
There is the possibility of sending this documentation electronically from another

manner.

- Automatic reply to the previous email dated July 10, 2021 sent by
***EMAIL.3 towards the complaining party indicating that their email has been received
email and they will reply to you soon.


SECOND: Through the “Internal Market Information System” (hereinafter
IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the
Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/77








cross-border administrative cooperation, mutual assistance between States
members and the exchange of information, the aforementioned claim was transmitted on the 24th
August 2021 and was given an entry registration date at the Spanish Agency of

Data Protection (AEPD) on August 30, 2021. The transfer of this
claim to the AEPD is made in accordance with the provisions of article 56
of Regulation (EU) 2016/679, of the European Parliament and of the Council, of
04/27/2016, regarding the Protection of Natural Persons with regard to the
Processing of Personal Data and the Free Circulation of these Data (as far as
hereinafter, RGPD), taking into account its cross-border nature and that this Agency

is competent to act as the main supervisory authority, given that OPENBANK
It has its headquarters and main establishment in Spain.

The data processing carried out affects interested parties in several
Member states. According to the information incorporated into the IMI System,

in accordance with the provisions of article 60 of the RGPD, acts as
“interested supervisory authority”, in addition to the German data protection authority
data from Bavaria, the authorities of the Netherlands, Portugal and the authorities
Germans from North Rhine-Westphalia, Hesse, Berlin and Baden-Württemberg. All
them under article 4.22.b) of the RGPD, given that interested parties residing in
the territory of these control authorities are substantially affected or are

likely to be substantially affected by the treatment subject to this
procedure.

THIRD: On September 9, 2021, in accordance with the then
current article 64.3 of Organic Law 3/2018, of December 5, on the Protection of

Personal Data and guarantee of digital rights (hereinafter, LOPDGDD),
admitted for processing the claim presented by the complaining party.

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in

issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:


In response to a request for information formulated by this Agency,
On May 19, 2022, OPENBANK provided, among other things, the following information:

1. Indication that OPENBANK has delegated the information request service
   to clients to the entity Santander Global Operations, S.A. (hereinafter, SGO), which

   belongs to the Santander group, and which acts in this case as in charge of the
   treatment.

2. Indication that they have defined an internal procedure called “Protocol
   of communications to clients due to AML/FT alerts: Opening and management of GAPS”

   to establish the form of action of SGO when it is necessary to request
   information or documentation supporting an unusual income. This
   procedure would apply in all countries in which OPENBANK provides
   service under the regime of free provision of services, which include

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/77








   Spain and Germany. As indicated in the writing, this procedure consists of
   that “the Openbank call center (hereinafter, “call center”),
   will contact the client to request said information at the telephone number

   mobile phone registered in the Openbank database. Additionally, a
   email to the address registered in our database from the
   mailbox from ***EMAIL.4 to Spanish clients or from ***EMAIL.1 to clients
   Germans. In those cases in which the client requests information about other
   channels through which you can send the required documentation,
   informs that the following are available to you: (i) by postal mail and (ii)

   in person at any of the two branches that Openbank has in
   Madrid.". And it states that the communication model is provided for both
   contact channels, which would be the following:

        Dear Customer:

        The reason for our communication is to inform you that Openbank is
        obliged, in compliance with current legislation, to know the activity
        economic and origin of its clients' funds.
        A. For a specific operation: In this communication we ask you
            documentation that proves the origin of the funds that on […]

            deposited in Openbank for a total amount of [...] €. You can send us
            any document that justifies the origin of the aforementioned funds.
        B. For regular operations: In this communication we ask you
            documentation that proves the origin of the funds that are regularly
            has been entering from [...] and to date for a total amount of
            [...] €. You can send us any document that justifies the origin of

            the aforementioned funds.
        You can send this documentation to the following email address
        email: [***EMAIL.5 for Spanish customers or ***EMAIL.1 for customers
        Germans] indicating your full name in the email.
        We inform you that Openbank, acting as responsible for the

        processing of your personal data, will process the same for the
        compliance with the legal obligations to which Openbank is subject
        adopting sufficient technical and organizational measures to guarantee the
        security of the information. More information about your rights and
        data protection in [***URL.1 for Spanish clients or ***URL.2 for

        German clients]
        Remaining at your disposal for any clarifications you need, receive a
        best regard

3. Regarding the measures taken to guarantee the confidentiality of the

   documentation sent by the client to justify an unusual income, it is indicated,
   among other measures, the following:

        Finally, taking into account the security that we offer in our
        web pages and mobile applications, and that Openbank is a 100% bank
        digital we inform you that there are different processes in the entity, such as

        contracting a mortgage loan, personal loan or checking account,
        that allow clients to send us documentation through the area
        client's private address where they will be identified with their identification document
        identity and access code. In this sense, we would like to indicate that this

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/77








        functionality is implemented and in operation to provide
        compliance with the AML/CFT obligation to apply measures to ensure
        Openbank's knowledge of its clients and ensure that

        documents, data and information available are up to date.
        We attach them as an example as Annex V: Update flow of
        KYC and customer documentation.

   And screen prints of the know your customer form are provided in

   which it is observed that, upon completing the completion of the form, the
   option to update the “Economic activity document” documents and
   “Address Verification” by uploading them at that time.

4. As “Annex IV: Contractual support for the service provided by SGO”, it is provided
   copy of a document called “ANNEX 12 SERVICE PREVENTION OF

   MONEY LAUNDERING”, which indicates that it is annexed to the framework contract
   of leasing of services between OPENBANK (as client) and SGO (as
   supplier) subscribed on January 1, 2020 for one year extendable for periods
   annual. This annex is dated October 16, 2020 and its purpose is “the
   provision by the Supplier to the Client of a Back Office service for the

   activities related to the prevention of money laundering and financing
   of terrorism”, with the following relevant content:

      - In the first clause:


             (…).

      - In the fifth clause, regarding the protection of personal data,
       indicates that (…).


       Furthermore, this fifth clause indicates that (…).
       And, in clause five.d) the following is indicated:

            (…).



       - The sixth clause, on cybersecurity requirements, includes the
        following section on data transfers:

            (…).


       - In the eleventh clause, on subcontracting, the following is indicated
        Regarding activities that cannot be subcontracted:

            (…).



CONCLUSIONS OF PREVIOUS RESEARCH ACTIONS


1. Communications with clients for money laundering prevention alerts
capital and terrorist financing are subcontracted to CGO both in Spain
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/77








like in Germany. They report that there is a protocol to carry out these
communications indicating that, in these cases, the client is contacted
using the telephone number that you have previously registered and, additionally, you are sent

an email to the email address you have previously registered.

2. In accordance with this protocol, in the communication sent by mail
email to request information from the client regarding money laundering alerts,
The channels that would be offered to the client to send documentation would be the
following: email, postal mail or in person at the offices of

OPENBANK in Madrid.

3. OPENBANK has a way to upload documents securely (a
through its website) for some procedures (for example, to update the
documents “Economic activity document” and “Domicile verification” in the

know your customer form). This way of uploading documents is not
offers the client within the protocol for money laundering alerts, in accordance
with what is indicated in the claim.

FIFTH: On August 26, 2022, the Director of the AEPD adopted a
draft decision to initiate sanctioning proceedings. Following the process

established in article 60 of the GDPR, on August 30, 2022 it was transmitted through
of the IMI system this draft decision and the authorities were informed
interested parties who had four weeks from that moment to formulate objections
relevant and motivated. Within the period for this purpose, the control authorities
interested parties did not present relevant and reasoned objections in this regard, so

It was considered that all the authorities were in agreement with said draft of
decision and were bound by it, in accordance with the provisions of the
section 6 of article 60 of the GDPR.

This draft decision was notified to OPENBANK in accordance with the regulations

established in Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (LPACAP) on August 29, 2022,
as stated in the acknowledgment of receipt in the file.

SIXTH: On October 3, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against OPENBANK, with

in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged infringement
of Article 25 of the RGPD, typified in Article 83.4 of the RGPD, as well as by the
alleged violation of article 32 of the RGPD, typified in article 83.4 of the RGPD.
In said Startup Agreement, OPENBANK was told that it had a period of ten
days to present allegations.


This Commencement Agreement, which was notified to OPENBANK in accordance with the regulations
established in Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (LPACAP), was collected on date 3
October 2022, as stated in the acknowledgment of receipt in the file.


SEVENTH: On October 6, 2022, OPENBANK submitted a document through
of which he requested an extension of the deadline to present allegations and that he be provided with
copy of the file.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/77









EIGHTH: On October 14, 2022, the investigating body of the procedure
agreed to the requested extension of the deadline up to a maximum of five days, in accordance with

the provisions of article 32.1 of the LPACAP, and that it be sent to OPENBANK
copy of the file.

The aforementioned agreement was notified to OPENBANK on October 14, 2022, as
It appears in the acknowledgment of receipt that is in the file.


NINTH: On October 26, 2022, it was received at this Agency, on time and
form, a letter from OPENBANK in which it alleged allegations to the Initiation Agreement,
accompanied by the following documentation:

1.- Document “Communications protocol to clients for AML/FT alerts:

OPENING AND MANAGEMENT OF GAPS (March 2021 version)”.
2.- Document “Communications protocol to clients for surveillance alerts
transactional prevention of money laundering and terrorist financing
(PBC/FT) (October 2022 version).”
3.- Document “Certificate on sections 3.10 and 3.11 of the Character Manual
OPENBANK's internal policy on AML/CFT matters.

4.- Document “Impact Evaluation - Monitoring of clients and operations
sensitive (version August 2021)”.
5.- Document “Impact Evaluation - Monitoring of clients and operations
sensitive (version October 2022)”.
6.- Document “Approval report referring to Santander Global Operations,

S.A.”
7.- Document “Internal security certificate issued by Santander Global
Technology and Operations, S.L.”
8.- Document “EVALUATION (…)”.
9.- Document “VENDOR RISK ASSESSMENT - DP REPORT”.

10.- Uploading documentation to the client's private area.
11.- Images of “Section: Frequently Asked Questions on the Openbank website”.
12.- Document “Certificate of availability for uploading documents, issued on the 21st
October 2022.”
13.- Document “Certificate of operational and customer analysis number
shocked.”


TENTH: On December 1, 2022, the investigating body of the procedure
agreed to open a period of testing practice, considering themselves incorporated
the claim filed by the complaining party and its documentation, the
documents obtained and generated during the admission phase for processing of the

claim, and the report of previous investigation actions that are part of the
procedure E/09448/2021, being considered reproduced for evidentiary purposes, the
allegations to the agreement to initiate the referenced sanctioning procedure,
presented by OPENBANK, and the documentation that accompanied them.


That same day, this Agency requested OPENBANK so that within a period of ten days
skilled will present the following information:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/77








Provide documentary evidence regarding data protection from the design and by
defect, for which OPEN BANK, S.A. is required to the impact assessment of
data protection in force on 07/07/2021, date on which OPEN BANK, S.A. solicitous

sending documentation to the complaining party, since in the attached documentation
to the allegations of OPEN BANK, S.A. later versions are provided,
specifically, the modified versions of August 2021 and October 2022.

The opening of the trial period was notified to OPENBANK in accordance with the regulations
established in Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (LPACAP) on December 1, 2022,
as stated in the acknowledgment of receipt in the file.

On December 19 and 28, 2022, OPENBANK has presented its response to the
cited requirement.


ELEVENTH: On April 11, 2023, diligence is formulated by the
instructor of the procedure by which the document is incorporated into the file
“2021 Annual Report” of the Santander Group, which includes the corporate structure of the
Santander Group and its business volume. This report states that the volume of
Total global annual business of Banco Santander, S.A. and dependent companies

(Santander Group) in the financial year prior to the commission of the infringement,
fiscal year 2020, was 44,279 million euros (see pages 555 and 843 of the aforementioned
“2021 Annual Report”).

TWELFTH: On May 23, 2023, the instructing body of the

procedure issued a proposed resolution in which it was proposed, in accordance with the
provided in articles 63 and 64 of the LPACAP, impose a fine of 1,500,000
euros to OPENBANK for violating article 25 of the GDPR, and a fine of
1,000,000 euros for the violation of article 32 of the RGPD, both classified in the
article 83.4 of the GDPR. Likewise, he was told that he had a period of ten days to

present allegations.

This resolution proposal, which was notified to OPENBANK in accordance with the regulations
established in Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (LPACAP), was collected on June 1
of 2023, as stated in the acknowledgment of receipt in the file.


THIRTEENTH: On June 1, 2023, OPENBANK presents a letter to
through which he requests the extension of the deadline to present allegations and that he be
Provide a copy of the file.

FOURTEENTH: On June 2, 2023, the instructing body of the

procedure agrees to send to OPENBANK the copy of the file, which will be
received by courier on June 8, 2023, as stated in the acknowledgment of receipt
what is in the file

FIFTEENTH: On June 5, 2023, the instructor body of the

procedure denies the requested extension of the deadline to present allegations.

The aforementioned agreement is notified to OPENBANK that same day, as stated in the acknowledgment
receipt that is in the file.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/77









SIXTEENTH: On June 14, 2023, this Agency receives, in
time and form, letter from OPENBANK in which it alleges allegations to the proposal of
resolution. In these allegations, in summary, he stated that:


    - The content of the resolution proposal is the same as the initiation agreement
       of this sanctioning procedure, so it will reproduce the allegations
       already presented.
    - Money laundering prevention regulations do not apply.
    - There are no financial data.
    - The so-called “high level measures” are not required.

    - The non bis in idem principle is being violated, or alternatively there would be a
       medial contest of infractions.
    - OPENBANK complies with the principle of data protection by design.
    - OPENBANK has not violated article 32 of the GDPR.
    - The principle of proportionality is being violated.



Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:



                                PROVEN FACTS

FIRST: In the document, unsigned, that accompanies the allegations to the agreement
initiation of this procedure, called “PROTOCOL OF
COMMUNICATIONS TO CUSTOMERS FOR AML/CFT ALERTS: OPENING AND
GAPS MANAGEMENT”, it is indicated that the first approved version is from 04/03/2018 and

that on 03/10/2021 the “Review, update and modification of
some deadlines (reduction thereof)”. In point 4 of the aforementioned document,
details:

"4. FOLLOW-UP OF THE GAP REQUEST AND BLOCKING OF ACCOUNTS
The following process and deadlines are established to be able to track the

request for information regarding AML/FT alerts and establish the alerts in
account, where applicable:
D: SGO opens GAP requesting the Contact Center to contact the Client requesting
information/documentation. In case the request is urgent or the size
If the request does not fit in GAP, SGO will also send it by email to
Contact Center recording this point in GAP.

D+1: Contact Center contacts the client and requests the information/documentation
following the First Communication model of Annex I. In the first instance, the
Contact will be by telephone and an email will also be sent to the client.
(See First Communication of Annex I) detailing the required documentation. Of
If there is no valid email address, the request will be sent by email.

Postcard.
The Contact Center will register in the GAP both the sending of this communication and
any contact with the customer, or the inability to make such contact, and
will reassign the GAP to SGO.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/77








SGO reviews GAP and records in the GAP comment the date of the next review
(D+15).
D+15: If the required documentation has not been received on said SGO date

will indicate to the Contact Center that it must reiterate the request for information to the client at
via a comment and reassignment of the GAP.
D+16: Contact Center contacts the customer again, following the same process
used in D+1 but in this case using the Second Communication of the Annex
I in which the client is warned of the possibility of blocking.”(…)”


In Annex I of the aforementioned document, it is indicated:


“(…)”


SECOND: On July 7, 2021, an email was sent from the address
***EMAIL.1 to ***EMAIL.2. The content of the email is as follows
(unofficial translation of the German original):

“Dear Mr. A.A.A.
The reason for our communication is to inform you that Openbank is obliged, in

in accordance with current legislation, to know the economic activity and the origin of the
funds from their clients. In this communication, we request the documents that
prove the origin of the funds.
Amounts deposited in Openbank (account ending in XXXX).
- to (…)

- he (…)
- he (…)
Please send us documents proving the origin of these funds.
You can send us any document that justifies the origin of said funds (for example
example, income tax, payroll, employment contract, contract

sale if it is a real estate transaction).
We guarantee the absolute confidentiality of the documentation you send us.
If you do not receive the requested documentation within 15 days from the
date of this notice, Openbank may, in compliance with the applicable regulations,
prevent new deposits from being made to your accounts.
If you have any questions about this, please do not hesitate to contact us

every day from 08:00 to 22:00 at ***PHONE.1.
Sincerely
Your Openbank team”

THIRD: On July 10, 2021, an email was sent from the party's email

complainant to ***EMAIL.1. The content of the email is as follows
(unofficial translation of the German original):

“Dear Mr. or Mrs.,
I have had a demand money account at Openbank S.A./Madrid since last year.

Now I have been asked to provide evidence of demand deposits of more than XXXXX
euros, but also more than XXXX euros. I can understand this as part of the
fight against "money laundering". However, the bank does not offer the possibility of
upload data securely, for example through the customer portal. In its

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/77








Firstly, I am forced to transmit my personal data through a simple email
unencrypted electronic. Despite asking, they only offered me this option, which I found

forced to use.
I ask you to check the process from the point of view of the protection of
data and, where appropriate, take the appropriate measures.
If you are not the competent authority, please refer the matter to me and send me
a filing notice.

Yours sincerely
“A.A.A.”

FOURTH: On July 13, 2021, the complaining party receives a
automatic reply sent by ***EMAIL.3. The content of the email

is as follows (unofficial translation from the German original):

“Thank you for your request. We confirm that it has been duly received and
We will send our response shortly.
We remind you that our email hours are Monday to Sunday from

08:00 to 22:00.

This is an automated response. If you have any questions, please contact
contact ***EMAIL.4.


Receive a cordial greeting,
“OPENBANK”

FIFTH: Document 4 provided by OPENBANK along with the allegations to the agreement
The beginning of this sanctioning procedure is entitled “Evaluation of

impact- Monitoring of clients and sensitive operations”, is not signed and indicates
which is from August 2021. On page 41 it includes the following:





















SIXTH: Dated May 19, 2022, in response to the information request
formulated by this Agency, OPENBANK stated:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/77








1.- That the service of requesting information from clients was delegated to the entity
Santander Global Operations, S.A. (SGO), which belongs to the Santander group, and which
acts in this case as the person in charge of the treatment, according to the contract dated 16

October 2020.

In the document “Annex IV: Contractual support for the service provided by SGO” of the
response to the information request of this Agency, in point 6.1 of the
sixth clause of “ANNEX 12 SERVICE FOR THE PREVENTION OF MONEY LAUNDERING
CAPITAL TO THE FRAMEWORK LEASING AGREEMENT FRAMEWORK

SERVICES AND/OR EXECUTION AND/OR DEVELOPMENT OF SUBSCRIBED PROJECTS
BETWEEN SANTANDER GLOBAL OPERATIONS S.A. AND OPEN BANK, S.A. SUBSCRIBED
BETWEEN OPENBANK, S.A. AND SANTANDER GLOBAL OPERATIONS, S.A. ON THE 1ST OF
JANUARY 2020” can be seen:










2.- That it had defined an internal procedure called “Protocol of
communications to clients due to AML/FT alerts: Opening and management of GAPS” whose
The purpose was to establish the update protocol for the management of requests for
information to clients by Santander Global Technology and Operations (in
hereinafter, “SGTO”), an entity belonging to the Santander Group in which Openbank

This service is delegated as the person in charge of treatment.

3.- That this procedure for managing requests for information from clients is
applied in all countries in which OPENBANK provides services under a
free provision of services, including Spain and Germany.


4.- That this procedure consisted of “the call center of
Openbank (hereinafter, “call center”), will contact the client to request said
information to the mobile phone number registered in the Openbank database.
Additionally, an email is sent to the address registered in our

database from the ***EMAIL.4 mailbox to Spanish clients or from
***EMAIL.1 to German customers. In those cases in which the client requests
information about other channels through which you can submit documentation
requested, you are informed that you have the following at your disposal: (i) by postal mail and
(ii) in person at any of the two branches that Openbank has in
Madrid.".


5.- That the communication model for both contact channels was the following:

        (…).


        1.Customers may send by email attaching the
        Encrypted documentation and password via phone call


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/77








SEVENTH: Document 5 provided by OPENBANK together with the allegations to the
agreement to initiate this sanctioning procedure is titled “Evaluation

of impact- Monitoring of clients and sensitive operations”, is not signed and indicates
which is from October 2022.

On page 4, in point “1. EXECUTIVE SUMMARY”, in the section “Name and

description of the processing”, describes the data processing applicable to this case of
the following form: “Monitoring of clients and operations in compliance with the
AML/CFT regulations, specifically what is established in article 17, entities
financial entities to examine with special attention any event or operation, with
regardless of its amount, which, by its nature, may be related to the

money laundering or the financing of terrorism, in particular any operation or
pattern of behavior that is complex, unusual, or without an economic or legal purpose
apparent, or that presents signs of simulation or fraud.”


On page 15 of the aforementioned document, the risk is classified as follows:




















And on page 43 of the aforementioned document the following is included:


















EIGHTH: In the document, unsigned, that accompanies the allegations to the agreement of
initiation of this procedure, called “PROTOCOL OF

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/77








COMMUNICATIONS TO CUSTOMERS FOR SURVEILLANCE ALERTS
TRANSACTIONAL PREVENTION OF MONEY LAUNDERING AND
FINANCING OF TERRORISM (PBC/FT)”, it is indicated that the first version
approved is from 04/03/2018 and that on 03/10/2021 the “Review” was carried out
updating and modifying some deadlines (reduction thereof).” The revision

3 of the document indicates that it was carried out on 05/06/2022 and consisted of the “Review
updating and modifying the communications of Annex I”, while the
revision 4 indicates was carried out on 10/17/2022 and consisted of the “Review and update of the
protocol with the aim of adapting it to the new documentation upload process
via private website, eliminating the need for the client to send it to an address
of e-mail. Document reviewed together with the contact center and Operations

Compliance". Point 4 of the aforementioned document details:

"4. SENDING AND RECEIVING DOCUMENTATION BY CLIENTS
TES


In all cases (customers from Spain and passport countries -Germany, Netherlands-
jos and Portugal) clients will be informed to upload the required documentation to the
space enabled for this in the private area of the Openbank website indicating, within
In the text field, the information that allows justifying the operation carried out.

The contact center manager will provide assistance to customers when they have difficulties.

instructions for uploading documentation. In case the customer has forgotten his
username and/or password to access the Openbank website, you will be informed of the next steps.
guide to reestablish it. In addition, a help guide has been prepared for
managers and incorporated information for clients within the FAQ section of the
Web."


And in “Annex I- Communications to clients to request information and/or documents
tion by an AML/CFT transactional surveillance alert” explains:

“(…)”

NINTH: As of October 13, 2022, OPENBANK had enabled within the

private area of the bank's website (which requires a username and password)
access) a space so that clients could provide the required documentation
in compliance with the provisions of article 6 of Law 10/2010, of April 28, of
prevention of money laundering and terrorist financing.

TENTH: During the trial period, OPENBANK provided an Excel type file

“DOCUMENTO_NUM._1.XLSX” without signature or date, in which in the tab “0.Sheet of
Control” can be seen at the beginning and in red “Data Privacy Impact Assessment
(DPIA)”. And in the tab “2. Life Cycle” of this file, under the title “Capture of
Data”, is contemplated in the section “Processing activities or operations”.
“Extraction of the client's transactional operations from the core systems of the

Bank". (…):





C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/77
















                                                                                    2. Treatment life cycle

General information

affected personnel. It is necessary to indicate, broadly speaking, what the life cycle of the treatment would be like, from when the data is captured, how it is stored or classified, for what purpose it is
used, the existence of assignments or transfers (whether to other national or international companies) and finally a description of how they are destroyed.


Processing life cycle Data capture Storage / Use / processing Transfer of data or Destruction /
                                                                                            classification Tracking and monitoring transfers to a third party Data is not destroyed,
                                                                                                                 of the transactional profile are stored
                                                       Extraction of client operations, through indefinite transfer of client data. However
Client transactional processing activities or operations Data storage in analysis of their positions and through the tool limits the depth
                                                       Banks core systems of internal fraud lists. operational in the different Edit historical information
                                                                                                                 contracted products with which one consults
                                                                                                                 Openbank and client weighting.
                                                       Character data Character data Character data Character data
                                                       identifying identifying identifying identifying
Flow and processed data Economic data, Economic data, Economic data, Economic data, N/A
                                                       financial and insurance financial and financial insurance and financial insurance and insurance


                                                                                                                 GEOBAN (in charge of
Participants in the activities or operations of alert monitoring)
treatment (includes treatment managers) N/A N/A (Analysis of Sepblac operations N/A
                                                                                                                 second level)



Technology involved in the activities of the Partenon Office tools Norkom Editran tool N/A
treatment (Excel). FIOC Application





ELEVENTH: Banco Santander, S.A. has direct participation of 100%

from Open Bank, S.A. (see page 816 of the “2021 Annual Report” of the Santander Group).




The total global annual business volume of Banco Santander, S.A. and societies

dependents (Santander Group) in the financial year prior to the commission of the

infringement, fiscal year 2020, was 44,279 million euros (see pages 555 and 843 of the


“2021 Annual Report”).



TWELFTH: OPENBANK's total number of clients is greater than 1.7

million customers (Source: ***URL.3)




THIRTEENTH: The number of requests, made by OPENBANK, for analysis

of operations in compliance with art. 6 of Law 10/2010, of April 28, of


prevention of money laundering and terrorist financing and the number of

clients therefore impacted during the years 2020, 2021 and 2022 has been the following,

according to what is stated in Document 13 that accompanies his allegations to the

agreement to initiate this sanctioning procedure:























                                                              FOUNDATIONS OF LAW



                                                                                                   Yo


                                                            Competition and applicable regulations



In accordance with the powers that article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter RGPD), grants each


control authority and as established in articles 47, 48.1, 64.2 and 68.1 and 68.2


C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es 15/77








of Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency

of data.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures.”

                                            II
                                   Previous Issues


In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD,
involves the processing of personal data, since
OPENBANK, through the entity Santander Global Operations, S.A. as
responsible for the treatment, carries out the collection, conservation and communication of, among
others, the following personal data of natural persons: name, surname, number
tax identity, email and the origin of the clients' income, among

other treatments.

OPENBANK carries out this activity in its capacity as data controller,
given that he is the one who determines the ends and means of such activity, by virtue of article
4.7 of the GDPR.


The GDPR provides, in its article 56.1, for cases of cross-border processing,
provided for in its article 4.23), in relation to the competence of the authority of
main control, that, without prejudice to the provisions of article 55, the authority of
control of the main establishment or the sole establishment of the person responsible or the

person in charge of the treatment will be competent to act as a control authority
principal for the cross-border processing carried out by said controller or
commissioned in accordance with the procedure established in article 60. In the case
examined, as stated, OPENBANK has its main establishment in
Spain, so the Spanish Data Protection Agency is competent to
act as the main supervisory authority.


For its part, article 25 of the GDPR regulates data protection from the design and
by default, which the data controller will apply, both at the time of
determine the means of treatment as at the time of the treatment itself and,
On the other hand, article 32 of the RGPD regulates the security measures that must be

be adopted to guarantee a level of security appropriate to the risk presented by the
processing of personal data.


                                            III

                                 Allegations alleged




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/77








In relation to the allegations alleged in the proposed resolution of this
sanctioning procedure, we proceed to respond to them according to the order
exposed by OPENBANK.

FIRST.- GENERAL CONSIDERATIONS REGARDING THE CONTENT OF THE

MOTION FOR RESOLUTION

OPENBANK alleges that the structure and content of the proposed resolution not only
extremely complex and difficult to follow, but as a consequence of
All of this, the AEPD incurs numerous contradictions.


In this sense, he alleges that the proposed resolution dedicates the basis of
right III to respond to the allegations alleged by OPENBANK to the agreement
of the beginning of this sanctioning procedure, for the purpose of which it reproduces almost
literally the allegations made by OPENBANK trying to
counterargue, one by one, what is stated in each of them, but that,

Subsequently, the proposed resolution reproduces in the legal foundations
IV and following, practically literally and with minimal alterations, the content
of the aforementioned initial agreement, without making any reasoning or addition to what has already been
invoked by the Agency at the time the procedure was initiated.

And alleges that what is stated in the legal basis III of the proposed resolution

comes into open contradiction with what was mentioned based on its foundation of
right IV, given that in the first of these grounds the AEPD denies supporting the
argumentation or reasoning that is subsequently reproduced and used to ratify itself
in its position on the following legal bases.

He indicates that this leads first of all to an obvious conclusion: if the reasoning of

The AEPD is exactly the same as that maintained in the initial agreement,
OPENBANK cannot but confirm itself in each and every one of the allegations
made prior to the aforementioned agreement.

In this regard, this Agency recognizes that it is possible that the wording of the
legal foundations subsequent to the one that responds to the allegations

presented by OPENBANK could be improved, which is why a new
wording that simplifies the reading of the resolution, while improving the
motivation in relation to the commission of the infraction, as well as the sanction to be imposed
and avoid possible confusion.

SECOND.- ABOUT THE PREMISES SUPPORTED BY THE AEPD THROUGHOUT

LENGTH OF THE PROCEDURE

OPENBANK, in its allegations to the Initiation Agreement, showed how that
(and the Proposal) was based on three essential arguments: (i) that OPENBANK
was subject to compliance with the obligations of diligence

due, as established in article 32 of Law 10/2010, of April 28, of
prevention of money laundering and terrorist financing (hereinafter,
the “LPBCFT”) and 60.2 of its development regulations, approved by Royal Decree
304/2014, of May 5 (hereinafter, the “RPBCFT”); (ii) that the AEPD considered that
The information requested by OPENBANK from the complaining party was considered

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/77








of “financial data”, which required the adoption of reinforced measures and not valued by
OPENBANK; and (iii) that “high-level” security measures had to be implemented.


It is alleged that the proposed resolution does not contradict what was argued by
OPENBANK, but denies the application by the Startup Agreement of the aforementioned
premises, something that, in his opinion, directly contradicts the very fact of the
reading of the proposal itself, given that the paragraphs transcribed by OPENBANK
continue to appear, literally, in the foundations of law IV and following of
same.


In this regard, this Agency reiterates that:

(i) the object of this procedure is not the violation of the provisions of the
regulations on the prevention of money laundering but rather the violation of the provisions of

Articles 25 and 32 of the GDPR, regulations applicable to data protection
personal rights of natural persons, which is the responsibility of this Agency;

(ii) the information requested by OPENBANK from the complaining party does have the
consideration of “financial data”, which required the application of a series of measures
reinforced to effectively apply data protection principles and

integrate the necessary guarantees into the treatment in order to meet the requirements of the
GDPR and protect the rights of the interested parties (in accordance with the provisions of the
article 25 of the GDPR), as well as the application of technical and organizational measures
appropriate to guarantee a level of security appropriate to the risk (in accordance with the
provided in article 32 of the RGPD);


(iii) that in the present case it is not a question of whether security measures should be implemented
“high level” security, but rather that measures had to be implemented that
guarantee a level of security appropriate to the risk to rights and freedoms
of natural persons.


However, this Agency recognizes that it is possible that the wording of the
legal foundations subsequent to the one that responds to the allegations
presented by OPENBANK could be improved, which is why a new
wording that simplifies the reading of the resolution, while improving the
motivation in relation to the commission of the infraction and the sanction to be imposed and avoid

possible confusion.

1. On the applicability of the regulations for the prevention of money laundering

OPENBANK alleges that, in relation to the alleged applicability to the obligations of

due diligence of what is established in article 32 of the LPBCFT, the proposal of
resolution establishes a premise: that the provisions of the regulations for the prevention of
Money laundering and terrorist financing are irrelevant at present
case, given that (i) “the classification of the facts is not motivated by a violation of
articles 32 and 32 bis of Law 10/2010, as OPENBANK says in its

allegations, but by articles 25 and 32 of the RGPD”; (ii) “is not the subject of the present
procedure whether or not the provisions of article 32 or 32 bis of the
LPBCFT, since it is not the competent authority for this and the legal right
protected by the aforementioned regulations is different from the legal good protected by the regulations

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/77








“data protection”; and (iii) in relation to OPENBANK's invocation of the
reports from the AEPD itself “what cannot be done is, as intended
OPENBANK, use them to interpret the content of an article, 32.bis, in

contrast to article 32, when article 32.bis did not exist on the date of the
issuance of such reports, being added later by art. 3.15 of the Real
Decree-law 7/2021, of April 27, in force as of 04/29/2021.”

Regarding the first of the aforementioned issues, OPENBANK considers that
A mere reading of the legal basis IV of the Proposed Resolution is enough

to show how the AEPD continues to substantiate all the imputability of
OPENBANK in its alleged non-compliance with article 32 of the LPBCFT
and how said precept refers solely and exclusively to compliance by the
obligated entities in matters of prevention of money laundering to the
provisions relating to the obligations of special examination of operations and

initial communication to the Executive Service of the Prevention Commission
Money Laundering and Monetary Offenses (hereinafter, the “SEPBLAC”).

In this regard, this Agency recognizes that it is possible that the wording of the
legal foundations subsequent to the one that responds to the allegations
presented by OPENBANK could be improved, which is why a new

wording that simplifies the reading of the resolution, while improving the
motivation in relation to the commission of the infraction and the sanction to be imposed and avoid
possible confusion.

Likewise, OPENBANK alleges that the proposed resolution errs in indicating

that the provisions of articles 32 and 32 bis of the LPBCFT are outside of
the powers of the AEPD, since these are two rules that regulate the
obligations of the obligated subjects regarding the protection of personal data and
not the substantive aspects of the anti-money laundering prevention regulations themselves.
capitals. And that these precepts are formed as a special norm referring to

protection of personal data in the environment of crime prevention regulations
money laundering, in the same way that numerous sectoral regulations include
data protection provisions regarding which the AEPD has never denied
its competence, since they are nothing more than the particularization for a case or sector
specific to the rules contained in the RGPD and the LOPDGDD.


OPENBANK indicates that the aforementioned precepts are those that particularize the
obligations that must be fulfilled by the obligated subjects to comply
to the proactive responsibility duties established in the protection regulations
of personal data in relation to data processing of this nature that
must be carried out in compliance with the obligations established in the Law, and, in

With regard to this case, with regard to compliance with the duty of
knowledge of the origin of the funds established in the regulations of
prevention of money laundering.

That is, compliance with the principle of proactive responsibility, and in particular the

of privacy from the design, is materialized in the adoption of the measures that
establishes the LPBCFT itself, without it being admissible to disaggregate this law from its own
RGPD, as if they were independent legal regulations referring to realities
different. The LPBCFT indicates what these obligations are, clearly differentiating

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/77








evident (and in force at the time of the occurrence of the events that gave rise to the present
file) among the obligations related to the treatments carried out
in compliance with due diligence and those related to the treatments

carried out to comply with the special operations examination, so that
In the present case, the application of the provisions of article 32 bis of the
LPBCFT.

In this regard, this Agency wishes to point out that it cannot but agree with everything
affirmed by OPENBANK in this sense. Although clarifying that the management of the

regulatory compliance provided for in article 25 of the GDPR is not limited to the application
of the precepts of the LPBCFT that particularize some of the obligations in
regarding data protection, further reinforcing some of the obligations in
relationship with certain treatments.


In this way, OPENBANK alleges, compliance with the privacy principle from the
design in the treatments carried out in compliance with Chapter II of the
LPBCFT is translated into article 32 bis.4 of the law, which provides that “the subjects
obligated parties must carry out an impact assessment on the data protection of the
treatments referred to in this article in order to adopt technical measures and
reinforced organizational structures to guarantee the integrity, confidentiality and availability

of personal data. These measures must in any case guarantee the
traceability of data access and communications.”

And it is undeniable, in his opinion, that OPENBANK carried out the aforementioned evaluation of
impact on data protection in relation to the aforementioned treatments, such as

that he did not conceive and apply this obligation as a static process, but as a
dynamic process, recording in the file the various evaluations carried out
by OPENBANK, as well as the measures successively implemented by it,
among which is currently the fact that the information for the
Compliance with due diligence obligations will be facilitated in the private area

of the client made available to him by OPENBANK.

In this regard, this Agency wishes to point out that compliance with the privacy principle
from the design to the treatments carried out in compliance with Chapter II of
The LPBCFT translates into much more than what is indicated in article 32 bis.4 of the law.
Everything indicated in article 25 of the RGPD applies to these treatments,

as it applies to all subjects included in its scope of application.
However, in the specific case of entities subject to the LPBCFT regime, the
obligation to carry out an impact assessment in order to adopt reinforced measures
to guarantee the integrity, confidentiality and availability of personal data
(and at a minimum, guarantee the traceability of the accesses and communications of the

data), is an obligation for adults, due to the very nature of the treatments
carried out in compliance with Chapter II of the LPBCFT, which require
greater protection given the greater risk to the rights and freedoms of
Physical persons.


It should also be noted that privacy by design is not limited to
carry out the data protection impact assessments referred to in the LPBCFT.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/77








In the present case, the lack of design of the treatment by the
of OPENBANK, since the data collection activity of
clients in the so-called “treatment life cycle” of their Excel file

data protection impact assessment document (provided during the
trial period of this procedure); Therefore, by not even foreseeing this
activity, the appropriate technical and organizational measures have not been applied to
effectively apply data protection principles (among others, the
confidentiality) and comply with the requirements of the GDPR and protect the rights of
interested.


Regarding the analyzes carried out by OPENBANK in the documents called
“Impact Assessment - Monitoring of clients and sensitive operations”, in its
August 2021 version, which was not even current at the time of the
events that are the subject of the claim, which took place in the month of July 2021,

it had only been foreseen as a possibility for clients to send information
through an encrypted message sending the password through another channel. And even in
The aforementioned document mentions that “an internal lawsuit has been requested so that
Interested parties can upload documents directly through the
website, once they have logged in.” However, it has been possible
verify that the complaining party was never given that possibility, not even in the

initial communication sent by OPENBANK nor subsequently when it requested a
secure alternative route for sending that communication. It was also found that
In the communication model that was sent to clients, none of
these options, only mention was made of the possibility of replying to the email
email that was sent without giving further instructions on how it could be protected

such information.

It is curious that, despite not providing any sufficiently secure means to its
clients to provide the information to which they were obliged, both documents
in their 2021 and 2022 versions they recognize that the risk inherent in such treatment

It had a high impact on the rights and freedoms of the interested parties.

And, however, it is only in the October 2022 version that OPENBANK indicates
that “customers will identify themselves by means of a DNI and access code to the private area of
customer".


What is certain is that the communication directed to the client complied with the provisions of the
document provided by OPENBANK as a protocol to request documentation
to clients under the LPBCFT and the communication addressed to clients does not
indicated no means of providing that information, beyond the possibility of
respond to the aforementioned email.


In any case, to comply with data protection from the design and therefore
Indeed, it is not enough to simply have a protocol document or
communication model, if later upon reviewing said documents it is found that they do not
A forecast was made in conditions on the technical and organizational measures

appropriate to effectively apply the principles of data protection and
provide the necessary guarantees in the processing in order to comply with the requirements of the RGPD
and protect the rights of the interested parties, as provided in article 25.1 of the
GDPR.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/77









Nor is it sufficient to have documents that establish protocols or procedures.
to follow, if later in practice when carrying out the treatment they are not also provided.

little appropriate measures to implement data protection principles nor are they inter-
great guarantees necessary to comply with the requirements of the GDPR.

In the present case, it has been proven that in July 2021 the party was asked to
complainant to send certain information, which could have a high impact
for your rights and freedoms, by email, without giving you further information.

nes on how he could send such information through a secure channel.

It has also been proven that the complaining party had told the bank
his concern in this regard and had requested that a safe means be provided
to share such information. But, given the bank's refusal, he had no other option.

tion than sending the requested information through a simple email, to
his displeasure and despite having expressed his reluctance. And even the complaining party
expressly gave that his concern be taken into account and a means be enabled
safe in the future to share this type of information.

However, in the August 2021 documents that OPENBANK provided together with

their allegations to the initial agreement, no other means is foreseen.

From the content of the documentation that appears in the file, it has been proven
do:


    - That in “Annex I - Communications to clients to request information and/or
       documentation by PBC” of the document ““COMMUNICATION PROTOCOL-
       NES TO CUSTOMERS FOR AML/CFT ALERTS: OPENING AND MANAGEMENT OF
       GAPS”, dated March 2021, in the first communication addressed to the
       client, in which he is asked to prove the origin of the funds, there is no provision

       indicate a specific means by which you must provide such information to OPEN-
       BANK. And that in the second communication that is addressed to the client, it is not foreseen
       nor indicate a means by which to provide such documentation to the bank, but
       The text includes the threat that if the documentation is not received
       requested in the next 15 days OPENBANK may prevent the realization
       tion of new income into your accounts.


    - That on July 7, 2021, OPENBANK requested the complaining party to send
       documentation that accredited the origin of certain funds, under the
       threat that in 15 days they could prevent new deposits into your account, without
       indicate any means by which such information should be provided.


    - That on July 10, 2021, the complaining party provided the requested documentation.
       tada expressing his disagreement because when he asked about the form of
       send such information, they told him to do so by email, without
       further. And in this email that is sent, the complaining party indicates that it does not

       considers it a safe means, which is done through this medium because it is
       was forced to do so, and even he himself provides as an example of half-hearted
       I guarantee the possibility of sending it “through the client portal”, a possibility that
       it was not provided to you from OPENBANK. Also please check the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/77








       process from the point of view of data protection and take measures
       timely. However, this email only received an acknowledgment of receipt
       automatic from the bank, on July 13, 2021.


    - In the document “Impact evaluation - Customer and operation monitoring -
       “sensitive information”, dated August 2021, it is expected that the interested party can respond to the
       email with an encrypted message sending the password via
       another channel. And it has been requested that it could be done directly through
       from the website section, once logged in.


    - In the document “Impact evaluation - Customer and operation monitoring -
       sensitive data”, October 2022, it is expected that clients will authenticate
       using your ID and access code to the private client area.


    - In the document “COMMUNICATIONS PROTOCOL TO CUSTOMERS BY
       TRANSACTIONAL MONEY PREVENTION SURVEILLANCE ALERTS
       CAPITAL CHALLENGE AND FINANCING OF TERRORISM (PBC/FT)”, from
       October 2022, it is indicated that clients will be informed to upload the document
       mention through the private area of the OPENBANK website. And in the “Annex
       I- Communications to clients to request information and/or documentation by

       an AML/CFT transactional surveillance alert” the client is instructed to send
       documentation through the “Customer Area” of the OPENBANK website.

That is, the protocol in force at the time of the events (March 2021) does not pre-
provided information on the method of sending the requested documentation.

da, notwithstanding the risks to the rights and freedoms present in such treatment
of data.

In July 2021, the complaining party drew attention to this issue in the email
which he sends on July 10, 2021 to OPENBANK. But the bank ignores it and not even

In any case, he was given an answer to his concern, which clearly dealt with a question.
protection of personal data, which also shows the lack of a process
OPENBANK's internal system to channel these issues.

In August 2021, OPENBANK foresees the possibility for clients to send the reference
documentation through an encrypted email and providing the password.

ña through another email (without specifying which one). And it is indicated that the possibility was requested
that this documentation could be provided through the customer area of the
OPENBANK website.

And it is not until October 2022 that communication protocols and documents

of the supposed impact assessment of this issue specifically incorporate
that clients can provide the requested documentation through the website
of OPENBANK, logging into your client area.

That is, the solution was adopted to be able to provide this information through the

client area a year and a half after the update protocol was adopted.
March 2021 and more than a year after the complaining party had called
drawn attention to this specific issue and that the document of alleged
impact assessment of this issue would have already foreseen it as a possibility

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/77








which had to be followed up.

All of this shows that OPENBANK did not apply a data protection approach

of the design neither before nor during the performance of the treatment, so it is rejected.
the present allegation.

OPENBANK alleges that it is perfectly aware that the principle of privacy
by design requires that reinforced measures to guarantee the rights of
interested parties are carried out prior to the practice of the treatment, but that the

obligation to obtain from the interested party information about the origin of the funds
is provided for in the LPBCFT, whose validity is more than eight years prior to that of the
GDPR. And that OPENBANK was obliged to carry out the processing of the data at
referred to in this file long before they were adopted or
the rules contained in the RGPD and the LOPDGDD become fully applicable. By

Therefore, strict application of the principle can hardly be required (in the case of
meaning that the measures had to be prior to the treatment), under penalty of failing to comply
its obligations regarding the prevention of money laundering and financing
of terrorism.

In this regard, this Agency wishes to point out that Organic Law 15/1999, of 13

December, Protection of Personal Data was approved for more than 10 years
before the LPBCFT and that the LPBCFT itself contained in its original wording a
reference to the personal data protection regulations in its article 32. And that
There is no doubt that the subjects to whom the LPBCFT was applicable
were fully subject to the provisions of the regulations then in force on

personal data protection. Regardless of whether there was an article 32 of
the LPBCFT specific for the treatments of Chapter III of the aforementioned Law (which
imposed a series of greater obligations for those responsible for treatment), this
This did not prevent the regulations from applying to the rest of the treatments.
protection of personal data in force at all times: initially, the LOPD of

1999, until the RGPD and the LOPDGDD became applicable, which displaced
that.

While it is true that the approach of the RGPD and the LOPDGDD was completely
novel compared to the previous data protection regulations, it is no less true
that OPENBANK had more than enough time throughout the three years (six

years if counted from the adoption of the RGPD text) that elapsed between when
approved the GDPR (April 2016), until the GDPR became applicable (May 2018,
which allowed two long years for preparation and adaptation to the RGPD) and the
facts that are the subject of the claim that gave rise to this procedure
sanctioner (July 2021) to adapt their treatments to the provisions of the

articles 25 and 32 of the GDPR (four years considering that they were recently adopted
the measures so that clients could share the requested information through
of your private area in October 2022).

Of course, it would have been impossible to have a protection approach.

data from the design before carrying out the treatment, when it took place many
years before the GDPR existed, but it is undeniable that the principle of
Data protection by design does not only imply that the measures should
be prior to the treatment, but article 25 of the RGPD itself indicates “both in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/77








at the time of determining the means of treatment and at the time of the treatment itself.
treatment”, that is, not only beforehand but throughout that treatment
takes place and whenever the means of treatment are determined, which is a

decision that is also made over time, as they change
the circumstances and possibilities of each moment.

Furthermore, it should be noted that, without disregarding the legal obligations
imposed through the LPBCFT, the legal obligations provided for in the GDPR are
at least at the same level, especially when the latter protects a right

fundamental. Obligations that must be fulfilled by OPENBANK,
regardless of compliance with those accruing from the LPBCFT; and this without
that compliance with the provisions of this last standard makes compliance impossible
of those of the GDPR.


OPENBANK is focusing on its risks, on the risks for the organization if not
complies with the LPBCFT, and not on the risks to the rights and freedoms of its
clients regarding data protection.

Finally, OPENBANK alleges that article 32 of the LPBCFT is only
applicable to the obligations contained in its Chapter III. And this to the point of

urge the legislator to adopt a rule that specifically established the
scope of said obligations regarding the protection of personal data in
relationship with what was established in Chapter II of that Law, as finally stated
materialized in article 32 bis of the LPBCFT, added by art. 3.15 of the Real
Decree-law 7/2021, of April 27. And that only in this way can the

conclusion reached by Report 195/2013 of the Legal Office of this AEPD
when he indicates that “the interpretation that the high security level is the one
referred to in article 32.5 of Law 10/2010 is only enforceable in relation to the
files created to comply with the obligations established in the Chapter
III of the aforementioned Law must be considered consistent with the fact that the Law itself

establishes certain limitations to the affected party in relation only to said
files, this required level being an additional guarantee established as a counterweight
of the aforementioned limitations” and the fact that in Report 41/2018 the AEPD urged
to the legislator the need to regulate data protection obligations in the
framework for compliance with the duties of due diligence and special examination of
operations, recommending the drafting of differentiated rules for each type

of treatments.

In summary, OPENBANK alleges that the arguments put forward by the AEPD must
decline, given that it substantiates the alleged non-compliance by OPENBANK with the
principle of privacy from the design and implementation of security measures

security in a standard, article 32 of the LPBCFT, which is not applicable to the case,
because the Agency itself had even indicated this.

In this regard, this Agency agrees that it is not applicable to the obligations of the
Chapter II of the LPBCFT article 32 of the LPBCFT, but rather article 32 bis of the

same, which is why a new wording will be given to the legal foundations
subsequent to the one that responds to the allegations presented by OPENBANK.

IN CONCLUSION:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/77









       1.- The management of regulatory compliance with article 25 of the RGPD, the
       Privacy by design is not exhausted by compliance with the

       data protection obligations provided for in the LPBCFT.

       2.- The management of regulatory compliance with article 25 of the RGPD does not end
       by carrying out data protection impact assessments.

       3.- OPENBANK had not foreseen the treatment activity consisting of the

       collection of financial data from clients for the prevention of money laundering
       of capitals.

       4.- The data protection impact assessments carried out by the party
       claimant at the time the events occurred did not include the

       processing activity consisting of the collection of financial data from
       clients for the prevention of money laundering.

       5.- Since this activity was not foreseen by OPENBANK, they had not been identified and
       evaluated the risks to the rights and freedoms of clients present in
       such treatment.


       5.- By not identifying and evaluating the risks, they have not been established and applied
       the appropriate technical and organizational measures to effectively apply
       data protection principles (including confidentiality) and comply
       the requirements of the GDPR and protect the rights of data subjects (of all

       Your clients).

       6.- All of the above clearly shows that OPENBANK
       did not comply with its obligation to apply article 25 of the GDPR, privacy
       from the design or before or during the treatment.



2. Regarding the reference made by the AEPD to the financial data

OPENBANK alleges that the proposed resolution is clearly contradictory,
given that it introduces in two consecutive paragraphs of the legal basis III two

considerations that are diametrically opposed and that seem to base his reproach
sanctioner.

Thus, it is indicated that “it is not appropriate to determine the level of risk and the need for
adopt appropriate security measures based on the financial data of

in isolation, but in accordance with the provisions of the applicable data protection regulations.
to the case, that is, depending on the type of treatment, as well as specifically,
regarding the prevention of money laundering”, which seems to reinforce the idea, since
previously refuted, that it is the nature of the treatment, and not that of the typology
of the data, which justifies his reproach.


But he immediately adds that “the factual circumstances of the present case
determine that reinforced security measures must be adopted given that the
processing of the personal financial data of the complaining party presents a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/77








high level of risk.” That is, it is the nature of the data, considered
financial, and not the purpose of the treatment, which justifies the adoption of certain
measures that the AEPD considers not fulfilled.


In this regard, this Agency wishes to point out that the analysis and adoption of measures
technical and organizational measures to effectively apply the principles of data protection.
data and integrate the necessary guarantees to comply with the requirements of the RGPD and
protect the rights of data subjects (Article 25 of the GDPR) and to apply
appropriate technical and organizational measures to ensure a level of security

appropriate to the risk to the rights and freedoms of natural persons (article 32
of the RGPD), should not be done solely by virtue of the nature or purpose of the
treatment that is carried out or solely by virtue of the typology of the data that is
treated as if they were exclusive aspects, but must be carried out taking into account
takes into account all the aspects that the treatment in question could entail.


The analysis carried out by OPENBANK on the concept of “financial data” to determine
terminate if the treatment we are facing entails a greater risk and if
This category of data deserves special protection is not correct, since
intends to separately assess the concept “financial data” of the regulations of
LPBCFT, when the need for a data protection impact assessment and

the consequent adoption of reinforced measures that guarantee the integrity and confidentiality
confidentiality of personal data, as well as guaranteeing the traceability of accesses.
processes and data communications are already established by the legal system.
legal.


In compliance with the LPBCFT, obligated entities can process data
financial, but not only data of this category are also processed
personal of diverse nature: identification, contact or economic
(business, professional, investment...). Data protection in
Compliance with the LPBCFT cannot be limited by the applicable criteria as

to only one of these data, as OPENBANK tries to reason, when what it tries to
protect is the access to the information that all this personal data entails, not
only individually, but to their treatment together.

OPENBANK indicates that the previously alleged is reinforced by the fact that the
legal basis IV of the proposed resolution once again considers the

reference to financial data made by recital 28 of the GDPR as
essential to determine the need for OPENBANK to have established a
additional measure in the collection of data related to the origin of funds.

In this regard, this Agency wishes to point out that it does not understand the reference made

to recital 28 of the RGPD, since it deals with the pseudonymization of the
data. In any case, the reference to the financial data is decisive,
given that they are data that deserve special protection as their treatment involves a
greater risk to the rights and freedoms of natural persons.


OPENBANK alleges that, regarding the reference made by the AEPD to the
Guidelines of the Article 29 Working Group (hereinafter, “WG29”), suffice it to point out
that the controversial treatment does not imply any type of “evaluation or scoring” of
interested parties nor its contrast with “a credit reference database or a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/77








database against money laundering and terrorist financing”, but
only obtaining information on the origin of the funds corresponding to
certain operations.


In this regard, this Agency wishes to recall the content of the “Guidelines on the
data protection impact assessment (DPIA) and to determine whether the
treatment 'probably entails a high risk' for the purposes of Regulation (EU)
2016/679”, in what is of interest here: “In order to offer a more concrete set of
treatment operations that require a DPIA due to their inherent high risk

(…) the following nine criteria must be considered: 1. Evaluation or scoring,
including profiling and prediction, especially of “aspects
related to performance at work, economic situation, health,
personal preferences or interests, reliability or behavior, situation or
the movements of the interested party" (considerations 71 and 91). Some examples of this

may include a financial institution that investigates its clients on a database
credit reference data or in an anti-money laundering database
and the financing of terrorism or fraud…” (emphasis added).

This Agency considers that the activity carried out by OPENBANK under the
provided in Chapter II of the LPBCFT, by which clients are requested to

provide the “supports that justify a certain income, since they will allow
clarify the origin of the funds that have been deposited into the client's account in
OPENBANK” does fall within a financial institution that investigates
your clients in a possible anti-money laundering and anti-fraud database.
financing of terrorism, which is why they are operations that involve

probably a higher risk.

And so much so, that they are operations that probably entail greater risk,
that the LPBCFT itself considered it convenient to incorporate the need to carry out a
data protection impact assessment of the treatments to which

referred to in said article in order to adopt reinforced technical and organizational measures to
guarantee the integrity, confidentiality and availability of personal data.

Likewise, OPENBANK alleges that the proposed resolution seems to indicate that
OPENBANK has not carried out any evaluation of the impact of the treatment on the
data protection, which comes into direct contradiction with the file

administrative, which includes it, as well as the measures adopted to alleviate
the risks on data protection derived from the processing.

In this regard, this Agency wishes to remember that the purpose of this procedure is not
is whether or not OPENBANK carried out an impact evaluation as required by the

article 32 of the LPBCFT, but whether the organization had incorporated the principles of
data protection by design and by default (Article 25 of the GDPR) and whether there were
adopted appropriate security measures in relation to the risk to human rights
and freedoms of the interested parties (article 32 of the RGPD).


In the present case, the lack of design of the treatment by the
of OPENBANK, since the data collection activity of
clients in the so-called “treatment life cycle” of their Excel file
data protection impact assessment document (provided during the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/77








trial period of this procedure); Therefore, by not even foreseeing this
activity, the appropriate technical and organizational measures have not been applied to
effectively apply data protection principles (among others, the

confidentiality) and comply with the requirements of the GDPR and protect the rights of
interested.

Furthermore, this Agency reiterates what has already been answered in the allegation regarding the
applicability of the regulations for the prevention of money laundering regarding the
analysis of the content of the communications sent to the complaining party as well as

of the documentation provided to the file, all of which shows that OPENBANK
did not apply a data protection by design approach before or during
carrying out the treatment.

OPENBANK alleges that, both the European Legislation Manual on the Protection of

Data such as the AEPD Risk Management Guide refer, when mentioning the
financial data, to those related to payment methods, even when the proposal
resolution seems to deny, in a categorical and unfounded manner, said statement.

In this regard, this Agency wishes to recall the content of Chapter 9.2 of the Manual of
European legislation on data protection, prepared by the Agency for

European Union for Fundamental Rights, the Council of Europe, the Court
European Human Rights and the European Data Protection Supervisor
where it refers to “financial data”: “Although the financial data is not
considered sensitive data under Convention 108 or the General Regulation of
data protection, its processing requires special guarantees that guarantee the

accuracy and security of data. In particular, electronic payment systems
need to incorporate data protection measures, that is, protection of the
privacy or data by design and by default.” The mention of the protection of
privacy regarding electronic payment systems highlights the
importance of these, but it does not exclude that, in the same way, other financial data

may require special guarantees, as is the case in the present case with the
data collected pursuant to the provisions of Chapter II of the LPBCFT.

Regarding the Guide on risk management and impact assessment in
personal data processing of the AEPD, there is a difference between three types of
economic data that must be assessed when determining the level of risk of a

certain treatment for performing the DPIA, differentiating between these three
data categories:
       • Data related to the “[e]conomic situation, (e.g., without being exhaustive,
       personal income, monthly income, assets (movable/immovable property),
       Employment situation)". These data are assigned a “medium risk.”

       • Data related to the “[f]ancial status (e.g., without being exhaustive, only
       financial maturity, debt capacity, debt level (Loans
       personal property, mortgages), solvency lists, defaults, assets (investment funds)
       sion, returns generated, shares, accounts receivable, income received,
       etc.), liabilities (expenses on food, housing, education, health, taxes,

       payments of credits, credit cards or personal expenses, etc.; or debts u
       obligations)". These data are also assigned a “medium risk.”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/77








       • “Data on payment methods (e.g., without being exhaustive, credit cards and information).
       formation of access to virtual currency services). In the case of these
       data is assigned a “high risk.”


OPENBANK added in its allegations to the agreement to initiate this procedure:
sanctioning authority that, in the criteria established by the AEPD for carrying out
A DPIA includes in number 4 “[t]reatments that involve the use of catheters.
special categories of data referred to in article 9.1 of the GDPR, data related to
to convictions or criminal offenses referred to in Article 10 of the GDPR or

data that allows determining the financial situation or solvency of assets or
“produce information about individuals related to special categories of data.”

And that the high risk that should justify the implementation of what said Agreement
What is called “high-level security measures” would only be predicable, in

OPENBANK, of the information that:
       • It refers to means of payment, that is, referring to the related data
       with those instruments that allow the interested party to acquire goods
       and services or enable you to cancel debts that you may have
       with third parties, apart from the non-exhaustive list of the document.
       • The one that allows determining the financial situation or solvency of a person.

       sona.

In this regard, this Agency considers that the documentation requested by OPENBANK
by virtue of the provisions of Chapter II of the LPBCFT, that is, “the support
documentary related to the origin of a fund in your bank account (e.g., your

payroll, employment contract, purchase and sale contract if it is an operation
real estate, donation or inheritance, the invoice for the services provided that are
satisfied by the beneficiary of those, the resolution declaring the
perception of a certain aid, etc.)” contains data related to the
economic situation and financial status of clients, of which allow

determine the financial situation or asset solvency of a person, so
require greater protection.

Finally, OPENBANK alleges that this Agency's conclusion according to which “the
data in relation to three deposits into bank accounts should be considered as
“financial data”, and the information related to the origin of this income, without having

strictly financial nature, is closely related to these
banking movements, therefore, when information is provided on the origin of the
income, in turn the movements in the bank account of the company are revealed.
claiming party that the activities originating those income produce”, lacks
any support that accredits it. And that, in any case, it is evident that they would not be

same - and it cannot be claimed to be - the data classified as “financial”
(bank account deposits) than the remaining data (information related to the origin
of these incomes), which the proposed resolution considers “intimately
related” to banking movements.


In this regard, this Agency insists that it considers that the information regarding the origin
of income in clients' bank accounts is information that is
closely related to such banking movements and that contains data
related to the economic situation and financial status of clients,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/77








that allow determining the financial situation or capital solvency of a
person, so they require greater protection in response to the risks in
the rights and freedoms of the interested parties.


In this sense, we cannot fail to indicate that personal financial data
jointly considered (those sent by the client by themselves, to which
can add those that the bank already has) can reveal multiple aspects
about the client, such as the financial situation or asset solvency as
we have indicated.


Thus, Opinion 1/15 of the Court of Justice (Grand Chamber) of July 26, 2017
establishes that, “128    On the other hand, even though some of the PNR data,
taken in isolation, do not appear to be able to reveal important information about
the private life of the people affected, it remains true that, together

considered, such data may reveal, among other things, a travel itinerary
complete, travel habits, existing relationships between two or several people as well as
information about the economic situation of air passengers, their habits
food or your health status, and could even provide sensitive data
on such passengers, as defined in Article 2(e) of the Agreement
foreseen”, risk that is also included in the STJUE of August 1, 2022.


In any case, the LPBCFT itself recognizes that they are operations that entail
probably a greater risk, so it was considered convenient to incorporate the
need to carry out a data protection impact assessment of the
treatments referred to in said article in order to adopt technical measures and

reinforced organizational structures to guarantee the integrity, confidentiality and availability
of personal data.

IN CONCLUSION, the documentation requested by OPENBANK pursuant to the
provided in Chapter II of the LPBCFT, that is, “the documentary support related

with the origin of a fund from your bank account (e.g., your payroll, employment contract,
purchase and sale contract if it is a real estate transaction, donation or
inheritance, the invoice for the services provided that are satisfied by the
beneficiary of those, the resolution by which the perception of a
certain aid, etc.)” contains financial data related to the situation
economic and financial status of the clients, which allow determining the

financial situation or asset solvency of a person, so their
treatment require greater protection in response to the risks in
rights and freedoms of the interested parties.

Therefore, this claim is rejected.


3. Regarding the enforceability of the so-called “high level measures”

OPENBANK alleges that in the agreement to initiate this procedure
sanctioner had invoked the requirement of a “high” security level, which did not

was enforceable since the entry into force of the GDPR, and the proposed resolution is limited
to indicate that it reproduced the text of article 32 of the LPBCFT in its current wording
at the time the events occurred (which only reinforces what has already been indicated in
relation to its improper application). But it must also be added that, although

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/77








Unless otherwise indicated, the Initiation Agreement, and the Proposed Resolution do
They intended to mimetically apply to OPENBANK the regime prior to full
application of the GDPR, since they refer to a measure, data encryption, which

was expressly associated in said regulation with the so-called “security measures”.
high level security.”

And at this point, the proposal once again denies, although, in its opinion, there is a
evidence that contradicts it in the file, that OPENBANK carried out a
evaluation of the impact of the treatment on the rights of the interested parties, to

determine the scope of the measures to be adopted, placing all the blame on
OPENBANK in the fact that only one of all its clients “drew the attention [of
OPENBANK] on this point”, not being satisfactory, in the opinion of the Agency, the
response given by OPENBANK to that one.


And this leads OPENBANK to question whether what the AEPD considers violated
In this case it is your duty to adopt technical and organizational measures
aimed at alleviating the risks of treatment, after analyzing said risks to
through a data protection impact assessment, something that (in his opinion) the
AEPD will not be able to deny that OPENBANK has carried out, or the object of the reproach of
the AEPD is that it has not given the interested party's “concern” the response that it

Authority considers appropriate, even though it is not possible to deny (in its opinion) that
OPENBANK did respond to the request.

In this regard, this Agency wishes to point out that the present sanctioning procedure
refers solely and exclusively to the fact that OPENBANK did not apply, before and during the

carrying out the processing in question, data protection from the design and by
default, to ensure compliance with the principles enshrined by the GDPR
(Article 25 of the GDPR), and did not adopt appropriate security measures based
of the risk to protect the rights and freedoms of the interested parties (article 32 of the
RGPD), in relation to the processing of data that is the subject of this procedure. I know

has also indicated, and for greater completeness, that data protection from the
Design is not exhausted by carrying out an impact evaluation.

The references made by this Agency to the LPBCFT are to be understood only
to reinforce the violations of data protection regulations that this Agency
I would have noticed.


However, this Agency will give a new wording to the legal foundations
later, as indicated above.

Likewise, this Agency wishes to point out that it has reviewed the measures adopted by

OPENBANK regarding the information shared by users to give
compliance with the obligations provided for by the LPBCFT and the reality is that they are not
provided a secure means for customers to provide requested information,
information that, in relation to the risks, could have a high impact on the
rights and freedoms of its clients if it materialized, as can be seen from the

own analysis carried out by OPENBANK in its documents called
“Impact Assessment - Monitoring of clients and sensitive operations”, both in
its version of August 2021 as that of October 2022. The fact that even when the
The complaining party drew attention to this point by sending an email

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/77








to the address indicated to send the financial documentation, without obtaining
no response from OPENBANK, further evidences the lack of awareness
on this issue, given that he was also not provided with an alternative means of

not even when he requested it. That is, what this Agency considers
violated in this case is not only that OPENBANK, at the time of the
facts, had not been carried out before carrying out the treatment in question or during
carrying out an analysis that would ensure compliance with the principles of
data protection nor did it adopt measures appropriate to the risk for the
freedoms and rights of the interested parties, but also that OPENBANK has not given

the “concern” of the interested party an adequate response, all of which does nothing more than
demonstrate the non-adoption of data protection principles from the design and
default.

Regarding the analyzes carried out by OPENBANK in the documents called

“Impact Assessment - Monitoring of clients and sensitive operations”, in its
August 2021 version, which was not even current at the time of the
events that are the subject of the claim, which took place in the month of July 2021,
it had only been foreseen as a possibility for clients to send information
through an encrypted message sending the password through another channel. And even in
The aforementioned document mentions that “an internal lawsuit has been requested so that

Interested parties can upload documents directly through the
website, once they have logged in.” However, it has been possible
verify that the complaining party was never given that possibility, not even in the
initial communication sent by OPENBANK nor subsequently when it requested a
secure alternative route for sending that communication. It was also found that

In the communication model that was sent to clients, none of
these options, only mention was made of the possibility of replying to the email
email that was sent without giving further instructions on how it could be protected
such information.


It is curious that, despite not providing any sufficiently secure means to its
clients to provide the information to which they were obliged, both documents
in their 2021 and 2022 versions they recognize that the risk inherent in such treatment
It had a high impact on the rights and freedoms of the interested parties.

And, however, it is only in the October 2022 version that OPENBANK indicates

that “customers will identify themselves by means of a DNI and access code to the private area of
customer".

Finally, OPENBANK alleges that in no case has it failed to respond to the
concerns of the complaining party nor can it be considered that they exist in said response

any threat of any kind, as indicated in the Proposed Resolution.
OPENBANK has limited itself to highlighting that the absence of information to the
same in relation to the origin of the funds in the disputed income will require
that OPENBANK proceeds to block the account, as there may be
indications, due to non-compliance with the regulations on the prevention of money laundering,

of the existence of illicit conduct on the part of his client.

In this regard, this Agency wishes to point out that it has not been provided to the party
complainant a satisfactory response to his concern, since he was not

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/77








provided an adequate means to provide the information requested by OPENBANK
under Chapter II of the LPBCFT.

In any case, it is worth clarifying at this time that, what OPENBANK calls
“concern” on the part of the client, is nothing more than a person, his client, who intends

your Fundamental Right to the Protection of Personal Data becomes effective
Staff.

As to whether there was any type of threat to the complaining party, we wish to remember
the content of the customer communication model, effective in July 2021:


“  Second communication: D+16
(…)
In the event of not receiving the requested documentation in the next 15 days counting
From the date of this communication, we inform you that Openbank can im-
request the making of new deposits into your accounts in compliance with the regulations.

is in force. (…)” (emphasis added)

And the email sent to the complaining party on July 7, 2021 by
OPENBANK said the following:

“Dear Mr. A.A.A.

(…)
If you do not receive the requested documentation within 15 days from the
date of this notice, Openbank may, in compliance with the applicable regulations,
prevent new deposits from being made to your accounts. (…)” (emphasis is
our)


The content of the communications sent by OPENBANK to clients (among
them, the complaining party), which requests the sending of the documentation in
under Chapter II of the LPBCFT, contain a notice that if the aforementioned
documentation within a period of 15 days, OPENBANK may prevent
new income in your accounts.


The dictionary of the Royal Spanish Academy explains that “threat” is a “said or
fact that is threatened.” While “threatening” is that
“said of something bad or harmful: Presenting itself as imminent to someone or something” and
also “give indications of going to suffer something bad or harmful.”

Blocking new deposits from customer accounts, of course it is something

bad or harmful for those who suffer from it, no matter how much it may be, as OPENBANK says, “at
there may be indications, due to non-compliance with the regulations on the prevention of money laundering
of capital, of the existence of illicit conduct on the part of his client.”

Including this information in communications directed to clients makes them

The latter send the requested documentation even if they are not provided with the means
appropriate for this (as the complaining party should have done), for fear of the
possible unfavorable consequences for them, in this case, the blocking of their
accounts.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/77








For all the above reasons, this allegation is rejected.

THIRD.- ABOUT THE VIOLATION OF THE NON BIS IN IDEM O PRINCIPLE

SUBSIDIARY TO THE EXISTENCE OF A MEDIA COMPETITION IN THE
PRESENT CASE

OPENBANK alleges that it is intended to be punished twice as a result of
the same fact and for the violation of the same legal right, considering that it does not
had established adequate security measures for the transmission (and

consequent receipt by the former) of what was erroneously considered “data
financial” and, at the same time, not having adopted such measures from the design
of the treatment.

Likewise, he alleges that, in the denied assumption that it was not considered that

we were faced with a double sanction for the same act, resulting in violation
the same protected legal asset, there was no doubt that the supposed
absence of adequate security measures in the sending of documentation
necessarily had its cause, in the opinion of the AEPD, inadequate analysis of
risks carried out by OPENBANK, so that it would not have foreseen the implementation
of such measures. In this way, if the violation of the non bis in principle was denied

idem, what there was no doubt about was the existence of a medial competition between
both violations.

OPENBANK cites the proposed resolution of this sanctioning procedure
in which the following is expressly stated in relation to the alleged violation

of article 25 of the GDPR:

       “In this protocol, OPENBANK did not plan to offer its clients any
       communication channel with a high level of security, despite the fact that in the
       sixth clause of the contract with your treatment manager indicates that “the

       electronic transfers of Customer Information over networks
       Public or unsecured activities are carried out safely using security methods.
       appropriate encryption in accordance with Grupo Santander Policies.”

       By applying the aforementioned protocol, OPENBANK places the responsibility on the client.
       responsibility for secure communication, this being the one who must ensure

       the confidentiality and integrity of your personal data. In this point,
       Let us remember that, by virtue of the principle of proactive responsibility
       enshrined in article 5.2 of the RGPD, the controller, in
       In this case, OPENBANK is the one who must ensure the effective privacy and
       integrity of the personal data being processed.”


OPENBANK indicates that the weight of the accusation of the alleged violation of the
Article 25 of the RGPD is based on the fact that it had not established, in the opinion
of the AEPD “no communication channel with a high level of security” transferring
the interested party the responsibility of ensuring “the confidentiality and integrity of their

personal information".

That is to say, it is the Proposed Resolution itself that clearly indicates that the
alleged lack of design of adequate technical and organizational measures refers,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/77








specifically, to the alleged lack of security measures in the shipment of the
documentation, subsequently making an assessment about the supposed
ineffectiveness of email encryption to ensure the integrity and

data confidentiality.

In this way, OPENBANK finds it certainly surprising that the company itself
Proposal for a resolution states in a different place that in the present case it is not
referring, when talking about the technical and organizational measures appropriate to the
risk, to the measures related to the sending of documentation, whose supposed

absence has been what has given rise to the communication directed by the party
complainant to OPENBANK.

In this regard, this Agency reiterates that a new wording will be given to the
subsequent legal grounds, as indicated above.


OPENBANK alleges that to support the alleged differentiation and, failing that,
disconnection between both infractions, the AEPD points out in the legal basis
III of the Proposed resolution, that the alleged violation of article 25 of the
GDPR does not refer to the failure to take specific measures in the referral of
the documents, but to the fact that said measures have not been communicated to the

complaining party when it expressed concern about the way
referral of those.

However, OPENBANK understands that such an argument cannot be sustained, given that
This alleged lack of communication would be caused by the fact that the measures of

security whose violation is attributed to OPENBANK, and which were also
subsequently implemented, did not exist at the time of the referral of such
concern to OPENBANK.

That is, we would simply find ourselves faced with the addition of a new element that

does not alter the causal relationship between the infractions attributed to OPENBANK, given that
the one now argued by the AEPD as the basis for the imputation of article 25 of the
RGPD (lack of attention to the concern expressed by the interested party, who, even though
might seem the opposite from reading the Proposal, if a response was given) it would bring
its cause of the fact that, in the opinion of the AEPD, no security measures had been adopted.
adequate security because OPENBANK had allegedly failed to carry out

an adequate analysis of the risks of the treatment for the rights of the
interested parties and adopted such technical and organizational measures.

And all this would return us to the initial conclusion already expressed by OPENBANK:
is imposing a double sanction for the same acts and the alleged

violation of the same legal right or, at least, one of the alleged
violations brings a direct cause and subsumes the other, to the point that if it is not
If I had committed this one, the second one would not have been committed.

And to this end, OPENBANK indicates that it is paradigmatic to observe how, despite its

enormous effort, the Proposed Resolution does nothing more than ratify what was alleged
Initiation Agreement, when the following is indicated on page 64 of the Proposal:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/77








       “From the examination of the proven facts and the documentation in the
       file, two infringements can be clearly differentiated based on
       different facts and foundations. The commission of the violation of article 32 of the

       GDPR arises from OPENBANK's documentation requirement for
       clients (and specifically, the complaining party) following the
       communication provided for this purpose, in which the client is not informed of any
       secure means to provide the requested information. Not even when
       client requests the bank for an alternative means, as happened in the specific case
       of the complaining party, which had no choice but to send the aforementioned

       documentation by email since when contacting OPENBANK to
       that another option was provided, this did not happen.

       Therefore, no technical and organizational security measures were applied.
       appropriate by OPENBANK to carry out the treatment in

       question in general or even in response to the request made by the complaining party,
       data processing is carried out (remember that data collection is
       a processing operation according to article 4.2) of the GDPR), without the measures
       adequate security measures to guarantee the confidentiality of the treatment.

       On the other hand, the commission of the violation of article 25 of the RGPD is

       based on the fact that the OPENBANK protocol in force at the time of the
       events (March 2021) did not provide information on the
       method of sending the requested documentation. Lack of design is punished
       of an adequate system to comply with the principles of treatment, the
       GDPR requirements and guarantee the rights of data subjects.”


That is, article 32 of the RGPD is considered violated because “it is not indicated to the
client no secure means to provide the requested information” and by article 25
of the GDPR because the OPENBANK protocol “did not provide for providing information
about the method of sending the requested documentation”, which is exactly what

the same thing that has just been invoked as a reason for the imputation of article 32 of the
GDPR.

First of all, this Agency would like to point out that the violation of article 25 of the GDPR
and the violation of article 32 of the RGPD, are violations that are classified as
differentiated manner by violating different precepts that protect legal assets

different, as will be explained below. Therefore it is something foreseen by the
legislator, without the violation of one of the precepts preventing the other, which
Furthermore, it does not per se violate the principle of non bis in idem.

Likewise, although both infractions are classified as serious for the purposes of the

prescription in the LOPDGDD, are outlined in different sections of article 73 of the
LOPDGDD:

       “(…)
       d) The lack of adoption of those technical and organizational measures that

       are appropriate to effectively apply the protection principles
       of data from the design, as well as the non-integration of guarantees
       necessary in the treatment, in the terms required by article 25 of the
       Regulation (EU) 2016/679.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/77








       e) Failure to adopt appropriate technical and organizational measures
       to ensure that, by default, only personal data will be processed
       necessary for each of the specific purposes of the treatment, in accordance with
       as required by article 25.2 of Regulation (EU) 2016/679.
       f) The lack of adoption of those technical and organizational measures that

       are appropriate to guarantee a level of security appropriate to the risk
       of the treatment, in the terms required by article 32.1 of the Regulation
       (EU) 2016/679.
       g) The bankruptcy, as a consequence of the lack of due diligence,
       of the technical and organizational measures that have been implemented in accordance
       as required by article 32.1 of Regulation (EU) 2016/679. (…)”.


Therefore, these are perfectly differentiated infractions.

Secondly, article 31 of Law 40/2015, of October 1, on the Regime
Law of the Public Sector (hereinafter, LRJSP) establishes: “No sanctions may be imposed

the facts that have been criminal or administrative, in cases in which
appreciate the identity of the subject, fact and foundation.”

In the present case, the infringement for violating the provisions of article 25 of the RGPD
is determined by inadequate data protection from the design and by default, in
under which “the data controller will apply both at the time of

determine the means of treatment as at the time of the treatment itself,
appropriate technical and organizational measures. These measures do not have to
be strictly security measures, an issue that is covered
specifically in article 32 of the RGPD regarding the specific treatment, for
which “the person responsible and the person in charge of the treatment will apply technical measures and
“appropriate organizational measures to guarantee a level of security appropriate to the risk.”


Article 25 of the GDPR is violated when those measures have not been adopted
technical and organizational measures that are appropriate to effectively apply the
principles of data protection from the design, as well as the non-integration of the
necessary guarantees in the treatment, in the terms required by article 25 of the
Regulation (EU) 2016/679, which may or may not occur due to absence or deficiency

about security measures. The technical and organizational measures to which
reference article 25 of the GDPR to apply data protection principles
From the design they are not limited to strictly security measures.

This would simplify the essence and spirit that inspires the GDPR, as well as the will
of the legislator, since compliance with the RGPD is not limited to the implementation of

technical and organizational security measures; which would mean, in the present
case, reduce the guarantee required by Article 25 of the GDPR to its achievement only
with security measures, leaving without effect and de facto the guarantees established by
le GDPR.


In this sense, article 25 of the GDPR establishes:

       “Taking into account the state of the art, the cost of the application and the
       nature, scope, context and purposes of the processing, as well as the risks of
       varying probability and severity that the treatment entails for the rights and

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/77








       freedoms of natural persons, the person responsible for the treatment will apply, both
       at the time of determining the means of treatment as well as at the time
       of the treatment itself, appropriate technical and organizational measures, such as

       pseudonymization, designed to effectively apply the principles of
       data protection, such as data minimization, and integrate safeguards
       necessary in the treatment, in order to comply with the requirements of this
       Regulation and protect the rights of the interested parties” (emphasis is
       our)


This Agency reiterates that there are multiple technical or organizational measures that do not
are security and can be implemented by the person responsible for the treatment as a channel
to guarantee this principle.

However, article 32 of the GDPR includes the obligation to implement

appropriate technical and organizational security measures to ensure a level of
security appropriate to the risk. Of security. Just for security.

Furthermore, its objective is to guarantee a level of security appropriate to the risk while
that in the case of article 25 of the RGPD, the management of the
regulatory compliance with all GDPR. Therefore, as can be seen, the two

articles pursue different purposes and protect different legal rights, although
they may be related.

Regarding the examination of non bis in idem, the Judgment of the National Court of 23
of July 2021 (rec. 1/2017) provides that:


       “(…) In accordance with the legislation and jurisprudence set forth, the principle non bis in
       idem prevents punishing the same subject twice for the same act with
       support on the same foundation, the latter understood as the same interest
       legal protected by the sanctioning regulations in question. Indeed,

       When the triple identity of subject, fact and foundation exists, the sum of
       sanctions creates a sanction unrelated to the proportionality judgment made by the
       legislator and materializes the imposition of a sanction not legally provided for
       which also violates the principle of proportionality.

       But for it to be possible to speak of "bis in idem" a triple

       identity between the terms compared: objective (same facts), subjective
       (against the same subjects) and causal (for the same foundation or reason of
       punish):

       a) Subjective identity assumes that the affected subject must be the same,

       whatever the nature or judicial or administrative authority that
       prosecute and regardless of who the accuser or specific body is that
       has been resolved, or that it is tried alone or in conjunction with other
       affected.


       b) Factual identity assumes that the facts prosecuted are the same, and
       rules out the cases of real competition of infractions in which there is no
       before the same illegal act but before several.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/77








       c) The identity of foundation or cause implies that the measures
       sanctions cannot occur if they respond to the same nature, that is
       That is, if they participate in the same teleological foundation, what happens

       between criminal and administrative sanctions, but not between
       punitive and merely coercive.”

Taking as reference what was previously explained in this procedure
sanctioning party, the non bis in idem principle has not been violated, since the violation
of article 25 of the RGPD results in not having carried out adequate management of the

regulatory compliance, while the violation of art. 32 of the GDPR boils down to
absence and deficiency of security measures (security only) detected,
present regardless of the request made by the complaining party. Although
the complaining party had not made any request (many other clients
will have limited themselves to sending the required documentation without considering anything) the measures

security measures would, in themselves, be inadequate.

And all this in the face of the allegations made by OPENBANK, which considers that in
Both precepts require a single conduct, which is to implement security.
appropriate. This is not true, since article 25 of the GDPR is not restricted to
guarantee of security appropriate to the risk, but rather the adoption of measures that

ensure the effective application of data protection principles and
compliance with the requirements of the GDPR and protect the rights of data subjects. AND
this not only through security measures, but through all types of measures
appropriate technical or organizational


Furthermore, this Agency reiterates what was stated in the aforementioned proposed resolution.
tion.

Regarding the violation of the provisions of article 25 of the RGPD, it is worth remembering that
Data Protection by Design and by Default (PDDD) is a legal obligation,

whose violation constitutes an infraction according to the provisions of article 83 of the
GDPR.

Data protection by design is part of the data management system.
regulatory compliance, which involves conceiving and planning the treatment, verifying its
compliance and being able to demonstrate it, all framed in a review process and

continuous improvement, where privacy by design plays a fundamental role.

Organizations must worry about establishing a true culture of
data protection in the organization, where data protection is integrated into
the regulatory compliance policies of those, from the very beginning of the design

of the processing of personal data.

For its part, the AEPD's “Privacy by Design Guide” defines it as follows:
follows: “Privacy by design (hereinafter, PbD) involves using a
risk management and proactive responsibility-oriented approach to

establish strategies that incorporate privacy protection throughout
the life cycle of the object (whether it is a system, a hardware or software product,
a service or a process). The life cycle of the object means all the stages


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/77








that it goes through, from its conception to its withdrawal, passing through the phases
development, putting into production, operation, maintenance and retirement.”


And in the resolution of the sanctioning procedure PS/00001/2021, this Agency has
considered that “Proactive responsibility implies the implementation of a model
compliance and management of the GDPR that determines widespread compliance
of data protection obligations. It includes the establishment,
maintenance, updating and control of data protection policies in a
organization, especially if it is a large company, - understood as the set of

guidelines that govern the performance of an organization, practices, procedures and
tools -, from privacy from the design and by default, that guarantee the
compliance with the RGPD, that prevent the materialization of risks and that allows
demonstrate compliance."


In the present case, the lack of design of the treatment by the
of OPENBANK, since the data collection activity of
clients in the so-called “treatment life cycle” of their Excel file
data protection impact assessment document (provided during the
trial period of this procedure); Therefore, by not even foreseeing this
activity, the risks present in the treatment are not identified or evaluated, it is not

have applied the appropriate technical and organizational measures to effectively implement
effective data protection principles (among others those provided for in article
5 of the GDPR, relating to confidentiality) and comply with the requirements of the GDPR and
protect the rights of interested parties.


It has also become clear that the organization did not have a
appropriate procedure to properly respond to a customer's concern
on a data protection issue, since in the present case the party
In his email dated July 10, 2021, the complainant expressed his disagreement regarding
to send the data via an unencrypted email. It even indicates that
he asked OPENBANK but was offered no other option. Furthermore, the complaining party

provides the solution that is later adopted by OPENBANK, as it said “…the
bank does not offer the possibility to upload data securely, for example, to
through the client portal (…)”. And he requested that they “check the process from the
point of view of data protection and, where appropriate, take the appropriate measures.”
However, it is not until the beginning of this sanctioning procedure that

OPENBANK has reviewed this issue and adopted a new solution in order to
comply with data protection regulations.

Regarding the violation of article 32 of the RGPD, this is based on
that the only communication channel for sending documents offered to

clients (including the complaining party), as stated in the proven facts,
was to reply to the email itself, and that said means of delivery was not a means
appropriate depending on the risk that could exist for the rights and freedoms of the
interested. In the specific case, OPENBANK did not provide its client with a means
appropriate to provide the documentation even despite the warnings of the
complaining party in this sense, so the shipment was made without the measures of

adequate security.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/77








And this despite the fact that documents 4 and 5 presented by OPENBANK together with its
allegations, called “Impact evaluation - Customer monitoring and
sensitive operations”, version August 2021 and October 2022, respectively, in

section “13. Security” the risk has been classified as high impact. Besides,
In the October 2022 version, the following indication has been included on page 43
on “Control and residual risk”: “It has been ensured that the communication channels
with clients as a result of issues related to the prevention of money laundering
and financing of terrorism, you have the necessary technical measures to guarantee
the protection of your personal data. Clients will identify themselves by means of their ID and

access key to the private client area.”

Subsidiarily, regarding the application of technical and organizational measures
reinforced to the treatment in question, it can be stated that the fact that a treatment
as a whole is not considered high risk and does not have to undergo a

data protection impact assessment, does not mean that they should not be applied
security measures appropriate to the greatest risk presented by any of the
activities or stages of the processing in question, in accordance with the provisions of the article
32 of the GDPR. According to OPENBANK's approach, only
certain reinforced security measures, to high-risk treatments, but
This idea does not correspond to what is established in the RGPD where the measures must

be appropriate to the risk present in each of the treatment phases.

In the treatment cycle, which includes various and different activities, not all
risk has to be uniform, there may be different levels of risks in the
different stages of treatment, depending on the activities that constitute it. AND

if in a phase there is a greater risk, although not all the treatment is of a greater risk
risk, appropriate measures should be implemented.

Consequently, these are two different facts with different legal bases. In
Article 25 of the RGPD, the legal good that is protected is compliance with the RGPD,

regarding the obligation to design the treatment in its entirety, identifying
and assessing the risks to the rights and freedoms of the interested parties for the purposes of
implement appropriate technical and organizational measures for effective application of
the principles of data protection, to comply with the management of compliance with the
GDPR; which has not happened in this case, as it has not even been evaluated (not even before
nor during the performance of the treatment) the possibility for clients to send the

information required under Chapter II of the LPBCFT and how to ensure the
compliance with the provisions of the GDPR. And not even a response was given to the
concern, to the problem raised by the complaining party regarding the protection of
your personal data in this matter. The system did not even have a planned
alarm at any issue that could affect the rights and freedoms of

clients regarding data protection, this is a procedure implemented by the
responsible for the treatment that was launched in the event of any failure of the
system, whether alerted by a client, by an employee or detected by the company itself
company. In this case it was the submission of documentation with financial data, but
could have been any data protection issue raised that affected the

rights and freedoms of the interested parties. On the contrary, the system limited itself to answering
with an automatic response, without analyzing the substance of what was raised by the party
complainant and without providing a satisfactory response (that is, without providing a
appropriate means to share such information). And the person responsible for the treatment,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/77








OPENBANK also did not get to work after the request made by the client,
implementing a system that would prevent leaving its clients helpless when they
ask any question, any problem regarding the protection of

data. It should be remembered that this is a fundamental right. Of risks in
rights and freedoms of the interested parties. To avoid its materialization. If nothing is
provides, in the terms of the preventive risk approach system established by the
GDPR, sooner or later the risk is going to materialize.

For its part, article 32 GDPR refers to the security of the processing, that is, to

the protection of personal data subject to processing regarding the application
of measures that guarantee a level of security appropriate to the risk, established by
the person responsible for the treatment, a provision violated in the present case, where
carried out a treatment by OPENBANK, in which the
interested party a secure means to provide the information required by OPENBANK, which

which caused that in the specific case of the complaining party had to send the
documentation requested through a simple email, despite having
requested the bank for an alternative means to do so, without this having been provided.
All this despite the fact that OPENBANK in its documents recognizes that it was a
risk of “high” impact on the rights and freedoms of the interested parties.


For all the above reasons, this allegation is rejected.

Regarding the existence of a medial competition of infractions, in addition to what has already
stated, this Agency wishes to point out that article 29 of the LRJSP does not result from
application to the sanctioning regime imposed by the RGPD, given that the RGPD has its

own principle of proportionality.

And this is because the GDPR is a closed and complete system.

The GDPR is a European standard directly applicable in the Member States, which

contains a new, closed, complete and global system intended to guarantee the
protection of personal data uniformly throughout the Union
European.

In relation, specifically and also, to the sanctioning regime provided in the
same, its provisions are applicable immediately, directly and

integral, providing for a complete system without gaps that must be understood,
be interpreted and integrated in an absolute, complete, integral manner, thus leaving the
Its ultimate purpose is the effective and real guarantee of the fundamental right to
Personal data protection. The opposite determines the loss of the
guarantees of the rights and freedoms of citizens.


In fact, a specific example of the lack of loopholes in the system of
GDPR is article 83 of the GDPR that determines the circumstances that can operate
as aggravating or mitigating circumstances with respect to an infringement (art. 83.2 of the RGDP) or that
specifies the existing rule regarding a possible medial competition (art. 83.3 of the

GDPR).

To the above we must add that the RGPD does not allow the development or realization of
its provisions by the legislators of the Member States, safe from what

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/77








the European legislator himself has specifically provided for, delimiting it in a very
concrete (for example, the provision of art. 83.7 of the RGPD). The LOPDGDD only
develops or specifies some aspects of the RGPD as far as it allows and with the
scope that it allows.


This is because the intended purpose of the European legislator is to implement a
uniform system throughout the European Union that guarantees the rights and freedoms of
natural persons, that corrects behavior contrary to the RGPD, that encourages
compliance, which enables the free circulation of this data.

In this sense, recital 2 of the GDPR determines that:


       “(2) The principles and rules relating to the protection of natural persons in
       With regard to the processing of your personal data, they must,
       Whatever their nationality or residence, respect their freedoms and
       fundamental rights, in particular the right to data protection

       of a personal nature. This Regulation aims to contribute to the full
       realization of an area of freedom, security and justice and of a union
       economic, to economic and social progress, to the reinforcement and convergence of
       economies within the internal market, as well as the well-being of
       Physical persons". (emphasis is ours)


And recital 13 of the GDPR indicates that:

       “(13) To ensure a consistent level of protection of natural persons
       throughout the Union and avoid divergences that hinder the free flow of data
       within the internal market, a regulation is necessary that
       provide legal certainty and transparency to economic operators,

       including micro, small and medium-sized enterprises, and offer
       natural persons in all Member States the same level of
       enforceable rights and obligations and responsibilities for
       responsible and in charge of the treatment, in order to guarantee a
       consistent supervision of personal data processing and sanctions
       equivalents in all Member States, as well as effective cooperation

       between the supervisory authorities of the different Member States. The good
       functioning of the internal market requires that the free circulation of data
       personal property in the Union is not restricted or prohibited for reasons related
       with the protection of natural persons with regard to the processing of
       personal information". (emphasis is ours)


In this system, the determining factor of the GDPR is not the fines. The corrective powers
of the control authorities provided for in art. 58.2 of the RGPD conjugated with the
provisions of art. 83 of the GDPR show the prevalence of corrective measures
against fines.


Thus, art. 83.2 of the GDPR says that “Administrative fines will be imposed, in
depending on the circumstances of each individual case, in addition to or in lieu of
the measures contemplated in article 58, paragraph 2, letters a) to h) and j).



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/77








In this way the corrective measures, which are all those provided for in art. 58.2 of
RGPD except the fine, have prevalence in this system, the fine being relegated
economic to cases in which the circumstances of the specific case determine

that a fine be imposed together with corrective measures or in lieu of the
themselves.

And all this with the purpose of forcing compliance with the RGPD, avoiding
non-compliance, encourage compliance and ensure that infringement is not more profitable
than non-compliance.


Therefore, art. 83.1 of the RGPD prevents that “Each supervisory authority will guarantee
that the imposition of administrative fines pursuant to this article for the
infringements of this Regulation indicated in paragraphs 4, 5 and 6 are in
each individual case effective, proportionate and dissuasive.”


Fines must be effective, proportionate and dissuasive to achieve
the purpose intended by the GDPR.

For this system to work with all its guarantees, it is necessary that several
elements are deployed in an integral and complete manner. The application of foreign rules

to the RGPD regarding the determination of fines in each of the States
members applying their national law, whether due to aggravating circumstances or
extenuating circumstances not provided for in the RGPD -or in the LOPDGDD in the Spanish case
allow it by the RGPD itself-, either by the application of a media competition other than the
provided in the RGPD, would reduce the effectiveness of the system, which would lose its meaning, its

teleological purpose, the will of the legislator, resulting in the fines imposed
for different infractions they would cease to be effective, proportionate and dissuasive. And of
This way would also deprive the interested parties of the effective guarantee of their
rights and freedoms, weakening the uniform application of the GDPR. The
mechanisms for the protection of the rights and freedoms of citizens and would be

contrary to the spirit of the GDPR.

The GDPR is endowed with its own principle of proportionality that must be
applied in its strict terms.

And this is because there is no legal loophole, there is no supplementary application of art. 29 of the GDPR.


In addition to the above, it should be noted that there is no legal gap regarding the application
of the media contest. Neither the RGPD allows nor the LOPDGDD requires the application
supplementary provisions of art. 29 of the LRJSP.


In Title VIII of the LOPDGDD related to “Procedures in case of possible
violation of data protection regulations”, article 63 that opens the Title is
provides that "The procedures processed by the Spanish Protection Agency
of Data will be governed by the provisions of Regulation (EU) 2016/679, in this
organic law, by the regulatory provisions issued in its development and, in

as long as they do not contradict them, on a subsidiary basis, by the general rules on
administrative procedures.". Although there is a clear reference to the LPACAP, it does not
a subsidiary application is established in no way with respect to the LRJSP that does not


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/77








contains in its articles any provision relating to administrative procedure
some.


In the same way that the AEPD is not applying the aggravating and mitigating circumstances provided
in art. 29 of the LRJSP, since the RGPD establishes its own, therefore,
There is no legal loophole or subsidiary application of the same, nor is it possible to apply
section relating to media competition and for identical reasons.

For its part, regarding the analysis of the specific case that is the object of this procedure

sanctioning, it should be noted that without the application of art. 29 of the LRJSP
For the reasons stated, there would be no media competition either.

Article 29.5 of the LRJSP establishes that “When an infraction is committed
necessarily derives the commission from another or others, only the

“sanction corresponding to the most serious infraction committed.”

Well, the medial competition takes place when in a specific case the commission of
An infraction is a necessary means to commit a different one.

The established facts determine the commission of two different infractions, without the

violation of article 25 of the RGPD, as OPENBANK asserts, is the means
necessary by which the violation of article 32 of the RGPD occurs.

It is possible that in the application by the controller of the
privacy by design and by default, in order to meet the requirements of the GDPR and

protect the rights and freedoms of data subjects, incorporating an approach of
data protection from the design and by default, technical measures are adopted
and organizational security that do not guarantee a level of security adequate to the
risk to the rights and freedoms of natural persons.


And vice versa, a data controller may not perform an analysis in
conditions of the measures that guarantee regulatory compliance with the
organization, but that has adopted security measures that do
are appropriate, because they serve that purpose and were already implemented.

As previously indicated, in the present case, the

lack of treatment design by OPENBANK, since it has not been
including the activity of collecting customer data in the so-called “collection cycle”.
treatment life” of your Excel file of impact evaluation document of
data protection (provided during the trial period of this
procedure); Therefore, since this activity is not even foreseen, the rules have not been applied.

appropriate technical and organizational measures to effectively apply the
data protection principles (among others, confidentiality) and comply with the
GDPR requirements and protect the rights of data subjects.

It has also become clear that the organization did not have a
appropriate procedure to properly respond to a customer's concern

on a data protection issue, since in the present case the party
In his email dated July 10, 2021, the complainant expressed his disagreement regarding
to send the data via an unencrypted email. It even indicates that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/77








he asked OPENBANK but was offered no other option. Furthermore, the complaining party
provides the solution that is later adopted by OPENBANK, as it said “…the
bank does not offer the possibility to upload data securely, for example, to

through the client portal (…)”. And he requested that they “check the process from the
point of view of data protection and, where appropriate, take the appropriate measures.”
However, it is not until the beginning of this sanctioning procedure that
OPENBANK has reviewed this issue and adopted a new solution in order to
comply with data protection regulations.


Regarding the violation of article 32 of the RGPD, this is based on
that the only communication channel for sending documents offered to
clients (including the complaining party), as stated in the proven facts,
was to reply to the email itself, and that said means of delivery was not a means
appropriate depending on the risk that could exist for the rights and freedoms of the

interested. In the specific case, OPENBANK did not provide its client with a means
appropriate to provide the documentation even despite the warnings of the
complaining party in this sense, so the shipment was made without the measures of
adequate security.

And this despite the fact that documents 4 and 5 presented by OPENBANK together with its

allegations, called “Impact evaluation - Customer monitoring and
sensitive operations”, version August 2021 and October 2022, respectively, in
section “13. Security” the risk has been classified as high impact. Besides,
In the October 2022 version, the following indication has been included on page 43
on “Control and residual risk”: “It has been ensured that the communication channels

with clients as a result of issues related to the prevention of money laundering
and financing of terrorism, you have the necessary technical measures to guarantee
the protection of your personal data. Clients will identify themselves by means of their ID and
access key to the private client area.”


For all the above reasons, this allegation is rejected.

FOURTH.- ABOUT OPENBANK'S COMPLIANCE WITH THE PRINCIPLE OF
DATA PROTECTION BY DESIGN

OPENBANK alleges that:


       • Privacy by design refers to the comprehensive analysis of the treatment and
       of the risks that it may bring for the rights and freedoms of
       the interested. In this way, this principle could only be considered to have
       been breached if it is proven that the sanctioned party had not carried out

       carried out that process, so that the fact that the result of it is not
       coincident with what the AEPD considers appropriate does not imply a lack of
       compliance with article 25 of the RGPD but, where appropriate, the infringement of another of
       their forecasts.


The AEPD in its Proposed Resolution does not even make a minimum assessment
about this allegation, which he completely ignores, trying again to link
the alleged non-compliance with the principle of privacy by design with the simple
fact that the interested party has not been offered an alternative means for sending

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/77








the documents that were requested by OPENBANK to prove the origin of
the funds from three operations carried out therein, as imposed by the
LPBCFT.


In this regard, this Agency wishes to point out that article 25 of the RGPD does not entail
only a “comprehensive analysis of the treatment and the risks that it may present”
provide for the rights and freedoms of the interested parties”, but also requires
that appropriate technical and organizational measures are applied to effectively apply
data protection principles are effective and the necessary guarantees are integrated

to comply with the requirements of the GDPR and protect the rights of data subjects. In
In this sense, article 73. d) of the LOPDGDD considers a serious infringement for the purposes
of the prescription “The lack of adoption of those technical and organizational measures
that are appropriate to effectively apply the principles of protection of
data from the design, as well as the failure to integrate the necessary guarantees in the

treatment, in the terms required by article 25 of the Regulation (EU)
2016/679”.

In the present case, it is not only that it was not offered to the interested party (nor to
clients in general) an alternative means for sending documents
requested under Chapter II of the LPBCFT, but rather it is that the

responsible for the treatment did not foresee said treatment, which is evident
in the impact assessment document valid in July 2021 (document
provided during the evidence phase of this sanctioning procedure) in which
The aforementioned treatment was not even contemplated (the sending of such documentation by
part of the clients). And that only in August 2021 was such treatment incorporated in

the client monitoring impact evaluation, although it was not until October
2022 that the possibility was incorporated for clients to send documentation to
through the OPENBANK client area, a possibility raised by the party
claimant already in July 2021 and that the same 2021 document provided as
possibility to be implemented. And this is not even taking into account that the same

2021 impact assessment considered that the potential impact on human rights
and freedoms of the interested parties was high.

OPENBANK also alleges that the legal basis III of the Proposal
Resolution adds an additional issue that was not in the Initiation Agreement
and that is now incorporated into it in order to justify the change of focus

in the imposition of this sanction: the lack of privacy by design is due to the fact that
OPENBANK has not foreseen mechanisms that allow “feedback” to the analysis
previously carried out and take into account the feedback that the person responsible for the
treatment the interested parties can provide.


That is, privacy by design not only requires an analysis of the risks
derived from the treatment which, it must be said, in this case have not been
materialized in any way, but requires modifying the circumstances and
characteristics of this treatment based on the feedback received from the interested parties,
so that, in response to a communication addressed to OPENBANK by an interested party

Specifically, Article 25 of the GDPR will only be considered complied with if OPENBANK
modifies the risk assessment previously carried out and also modifies the
technical and organizational measures that the processing entails, even when


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/77








said feedback only refers to an alleged potential risk, and never accredited,
referred by a single client.


In this regard, this Agency wishes to point out that OPENBANK is correct in stating that the
data protection from design and by default implies adopting the mechanisms
necessary to continually reevaluate the treatments carried out, which
It implies, among other measures, having “mechanisms that allow “feedback” to the
analysis previously carried out and take into account the feedback that the person responsible for the
treatment that the interested parties can provide”, if applicable.


Regarding the need for the risks derived from the treatment to be
materialize, it should be noted that Article 25 of the GDPR does not require that such risks
occur, on the contrary, requires that appropriate measures be adopted
precisely to prevent such risks from materializing.


Finally, this Agency wishes to indicate that it is not intended that a communication
made by a specific interested party “only article 25 of the
GDPR if OPENBANK modifies the previously carried out risk assessment and
It also modifies the technical and organizational measures that the treatment entails,
even if said feedback only refers to an alleged potential risk, and

never accredited, referred by a single client.” But in the present case neither
has not even been given a course due to the problems presented by the party
claimant nor has it been proven that mechanisms had been arbitrated
to provide you with other means, more appropriate depending on the existing risk to
your rights and freedoms, for which you could provide the information

requested. What's more, in August 2021 the impact assessment document of
customer monitoring had already indicated that the impact on rights and
freedoms of the interested parties was high and that the possibility of
Clients will provide the requested information through the bank's private area.
But it was not until October 2022, more than a year later, that such a possibility was

enabled. All this only shows that OPENBANK had not implemented
in your organization a data protection approach by design and by default,
at least in relation to the treatment that is the subject of this sanctioning procedure.

OPENBANK alleges that it had carried out an adequate risk assessment
derived from the treatment, establishing the appropriate measures to alleviate them and

including adopting measures related to the issue analyzed herein
file prior to the moment in which the complaining party contacted
contact with it, even if its implementation was later.

And that at the time the events that gave rise to the present occurred

procedure, OPENBANK had carried out an impact assessment on the
data protection in relation to treatments linked to compliance with the
due diligence obligations provided for in the LPBCFT. That is, he had made
a detailed analysis of the risks derived from the treatment and implemented the
appropriate measures to mitigate these risks. In this sense, the fact that the

AEPD considers a supposedly insufficient measure cannot imply that due to the
itself denies that the measures were adopted, as seems to be indicated in the
Resolution Proposal.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/77








In this regard, this Agency wishes to point out that document 4 provided together with the
allegations to the agreement to initiate this sanctioning procedure indicates that it is
dated August 2021, while the first email sent to the complaining party

is from July 7, 2021. Therefore, this document is after the events
claimed.

Regarding the analysis of the risks carried out in the aforementioned document, this Agency
reiterates what has already been indicated above about why the article is considered violated
25 of the GDPR.


OPENBANK indicates that it has provided the various impact evaluations on the
data protection that has been carried out in relation to this processing, although it does not
can deny his surprise at the fact that it does not appear in the file
administrative the one sent in response to the request for evidence made by

that one and that was attached to the letter addressed by OPENBANK to that AEPD on date 19
December (page 699 of the administrative file), which is not accompanied by the aforementioned
Impact evaluation.

In this regard, this Agency wishes to point out that when the copy of the file is generated for
sending to OPENBANK, the document with the impact evaluation at the time of the

In fact, since it is an Excel file, its contents do not appear in the copy.
generated, but it is incorporated into the information systems of
this Agency and reference is made to its content both in the proven facts and
on the legal foundations of this resolution.


OPENBANK also alleges that the AEPD seems to deny the virtuality of the aforementioned
documents, even going so far as to refer to qualifying as “alleged evaluation
of impact” that which provided for the establishment of mechanisms so that
documents could be provided by interested parties in their private area of the website and
the OPENBANK App, something that is expressly stated in the evaluation carried out by

OPENBANK.

And at this point, OPENBANK wishes to clarify that the evaluations provided (its
content, actually) may not coincide with what that AEPD expects, but in
in no way can they be classified as “supposed” unless the Agency accredits
have evidence that allows making such an assertion. Understand OPENBANK

that the consideration made by that AEPD lacks the slightest foundation and
represents a very serious accusation directed against OPENBANK which, as
At the very least, it should have some support that allows converting a document
adopted by OPENBANK in a “supposed” document. At the same time, hardly
A document in which measures are incorporated can be classified as “supposed”.

that, with greater or lesser speed, have been effectively implemented by
OPENBANK.

In this regard, this Agency wishes to point out that the documents provided by
OPENBANK together with its allegations to the initiation agreement and during the

evidence of this sanctioning procedure is not properly presented
signed, making it impossible to prove their authenticity and integrity or
guarantee your date. Nor has this Agency entered into evaluating the content of the
cited documents as to whether or not they comply with the requirements demanded of a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/77








personal data protection impact assessment in the terms required by
the GDPR. Hence the qualification of “assumptions” that this Agency made in its
resolution proposal.


OPENBANK alleges that the AEPD does not in any way prove that the risks
invoked by it throughout the procedure have not only materialized, what
that in no case has happened, but that they exist in reality, since it focuses its
foundation on the alleged insufficiency of email as a means of
communication, despite the fact that OPENBANK has already demonstrated the validity of this means

for the transmission of information.

In this regard, this Agency reiterates that article 25 of the RGPD does not require that such
risks occur, on the contrary, it requires that measures be adopted
appropriate precisely to prevent such risks from materializing.


Likewise, OPENBANK alleges that, taking into consideration that both the AEPD
and the EDPB consider that the evaluation of the impact of treatment on the
rights of interested parties must be a dynamic and successively reviewed process,
OPENBANK carried out successive evaluations. However, the AEPD denies value
any to the fact that this process implied the subsequent adoption of other measures

complementary for the contribution of the documents, given that the continuous review
of treatments, defended by the AEPD itself, is now considered by the AEPD
a reactive process (even if at the time it occurred there was no
any claim on the matter) and constituting a mere “patch”. And if for
“patch” should be understood, according to the Dictionary of the Royal Spanish Academy, a

“provisional, and in the long run unsatisfactory, solution given to some problem”,
It seems that this apparently insufficient solution is the one that the AEPD
considered applicable in this case.

OPENBANK considers, at this point, that the Proposed Resolution cannot

simultaneously maintain one idea and the opposite with the objective of sanctioning it: do not
It is possible to say that OPENBANK did not adopt measures from the design to achieve the
minimization of treatment risks through successive review of the
impact evaluations carried out in relation to the treatment and, at the same time
time, consider that the measures adopted as a consequence of that evaluation,
that coincide with those that the AEPD considers appropriate, are a mere patch, it is

That is, they are not satisfactory to solve the supposed problem posed in
relation to the means used to send documents.

Nor is it possible to blame OPENBANK for the fact that the measures were not implemented.
“before the system is in operation”, referring again to the

consideration of the measures implemented as a “patch”. As has already been said,
OPENBANK is obliged to require its clients to provide proof of the origin of
the funds, that is, to put the aforementioned “system” into operation, from the
less the entry into force of the LPBCFT. And on that date there was no rule that
made reference to the principle of privacy by design or the obligation to

carrying out an impact assessment on data protection, without prejudice to
that OPENBANK adopt the technical and organizational measures that it considered
appropriate to mitigate any risk that the treatment could cause in the
right to the protection of personal data of their clients. The AEPD seems

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/77








consider that OPENBANK had to be aware of a series of obligations that,
However, they would not be adopted into a legal text until six years after the start of the
treatment and were not fully applicable until eight years had elapsed

since said date.

OPENBANK considers that it is not reasonable to require obligations from it
unknown or that proceeds to interrupt the compliance processes of the
regulations for the prevention of money laundering, with the consequent non-compliance
of this regulation, as a consequence of the entry into force of the RGPD, although in

In any case, it reiterates that it carried out the corresponding impact evaluation on the
data protection as well as the adoption of technical and organizational measures that
They allowed us to mitigate any risks derived from the treatment.

In this regard, this Agency recognizes that it is possible that the use of the term

“patch” in your proposed resolution has not been the most accurate, which is why
a new wording will be given, which does not prevent this Agency from maintaining that
OPENBANK has not implemented data protection by design and by default,
Regarding the treatment that is the subject of this sanctioning procedure, for
all the reasons previously detailed in detail. The answer has been
reactive and not proactive, and generated once the claim raised by the

interested before the supervisory authority.

Finally, this Agency reiterates that although it is true that the approach of the RGPD and
The LOPDGDD was completely new with respect to the regulations for the protection of
previous data, it is no less true that OPENBANK had more time than

sufficient throughout the three years (six years if counted from the adoption of the
RGPD text) that elapsed between the approval of the RGPD (April 2016), until
that the RGPD was applicable (May 2018, which granted two long years for
the preparation and adaptation to the RGPD) and the facts that are the subject of the claim to which it gave
this sanctioning procedure takes place (July 2021) to adapt its

treatments in accordance with the provisions of articles 25 and 32 of the RGPD (four years if you have
Keep in mind that measures were recently adopted so that customers could
share the requested information through your private area in October 2022).
Of course, it would have been impossible to have a protection approach.
data from the design before carrying out the treatment, when it took place many
years before the GDPR existed, but it is undeniable that the principle of

Data protection by design does not only imply that the measures should
be prior to the treatment, but article 25 of the RGPD itself indicates “both in the
at the time of determining the means of treatment and at the time of the treatment itself.
treatment”, that is, not only beforehand but throughout that treatment
takes place and whenever the means of treatment are determined, which is a

decision that is also made over time, as they change
the circumstances and possibilities of each moment.

For all the above reasons, this allegation is rejected.


FIFTH.- REGARDING THE ALLEGED VIOLATION BY OPENBANK OF THE
ARTICLE 32 OF THE GDPR



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 52/77








It is alleged that the measure adopted by OPENBANK could not be considered contrary to
established in article 32 of the RGPD, resulting in the existing measure at the time of
events occur, that is, the sending of documentation proving the origin

of funds, appropriate in view of the risks that the treatment could produce in
the rights of clients.

And that in no case could the conclusion be reached that the email did not
was the appropriate means to carry out said shipments in view of the above
by the National Cryptological Center, which, far from considering the use of email as

undesirable, showed how the main providers of this service
had adopted measures aimed at encrypting and authenticating emails
electronics.

However, it is recognized that the report from the National Cryptological Center indicated that

There are users who make “careless” use of the email service. Without
However, it alleges that it is not possible for OPENBANK to adopt the measures
technical and organizational applicable to the data processing carried out by it
taking into account the more or less careless use that users may make of the
email services, since this implies moving to OPENBANK the
responsibility for the actions of their clients, which in no way can

considered in accordance with the principle of responsibility enshrined in our
sanctioning regulations.

It is alleged that in the face of these arguments, the Proposed Resolution, however
carry out the reproduction of the content of the Home Agreement in its basis of

right VIII, limits itself to refuting the allegations with the categorical statement that “this
Agency if it doubts that email constitutes a means of communication
secure way to send documentation when its confidentiality must be guaranteed,
As is the case, this is the reason for the imputation of the violation of article 32 of the
RGPD”, subsequently invoking what was stated in the aforementioned Center report

National Cryptology.

In this sense, OPENBANK alleges that, barring error on its part, in the numerous
reports, resolutions, guides and directives from that AEPD, as well as in the
emanating from the EDPB, there is no known indication that would allow OPENBANK
consider that the use of email should be a measure that had to be

prohibited regarding the receipt of personal data for subsequent processing.
refers. There is no doubt that this measure constitutes the usual and customary technique of
communication between subjects bound by data protection regulations,
belonging to any sector of activity, and their clients and, however, they are not
knows that it had been questioned by that AEPD until now

sanctioning file.

This represents a change in criteria that, at the very least, can be described as
surprising for OPENBANK and which, however, implies the imposition of
sanctions for a total amount of 2,500,000 euros. And this sanction is imposed

based on the mere existence of a communication addressed to OPENBANK by
a client in which the production is in no way credited, much less the
materialization of a risk to your right to data protection. Thus,
we would find ourselves facing what the ruling of the Contentious Chamber

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/77








Administrative of the National Court of December 23, 2022 (recourse
104/2021) qualifies as “a potential infraction that is not punishable by the regulations
of data protection”.


In this regard, this Agency wishes to point out that, in the present case, due to the special
protection that the data provided by clients required, due to the greater risk that
what it meant for their rights and freedoms, as explained in detail
Previously, reinforced security measures had to be adopted.


In the present case, this Agency considers that the sending of the requested information
under Chapter II of the LPBCFT by a simple email was not
an appropriate measure based on the risk to the rights and freedoms of
Physical persons. And this not only because of the careless use that could be made of the mail
electronic. The aforementioned report from the National Cryptological Center indicated that some of

the measures referred to, adopted by the most important mail providers
known, were susceptible to being attacked and that, even if they were
establish communication satisfactorily, the mail servers through which
Pass the email until reaching the destination, they would have access to its content. Hence
concluded that “it follows that it is not enough to delegate email security
electronic to the underlying technologies responsible for delivering it to your

addressee".

Nor was it foreseen in the client monitoring protocols to provide any type of
customer assistance to encrypt sent documents or any other facility, for
what information sent via email would be expected to

Nor will it have such an additional security measure, which is not found either.
widespread among users and requires certain technical knowledge. In this
sense this Agency indicated that making security depend on the level of
technical knowledge of the client himself and that he has the appropriate tools
This involved a transfer of risk from OPENBANK to the client.


Regarding the fact that OPENBANK should have adopted the measures based on the most or
less careless that users can make of mail services
electronic, this Agency considers that it implies a transfer of the risk
to OPENBANK for the actions of its clients, but it is a more risky
that probable and expected, that OPENBANK should have evaluated and tried to prevent

produce, especially taking into account that the bank itself assessed that the impact
that could have such treatment in the rights and freedoms of natural persons was
high, as stated in the impact evaluation of August 2021.

As to the fact that neither in the reports, resolutions, guides and directives of the AEPD nor of the

EDPB is aware of any indication that would allow OPENBANK to consider that the use
of email should be a measure that had to be outlawed in terms of
receipt of personal data for subsequent processing is concerned, it is necessary
remember that it is not the case that sending email constitutes a means not
safe in any case and with respect to any treatment, but it is undeniable

that in the present case it was not an appropriate means to share the information
required under Chapter II of the LPBCFT, which required the adoption of certain
reinforced measures.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 54/77








Regarding the fact that it is sanctioned with a fine of 2,500,000 euros on the basis of a
communication addressed to OPENBANK by a client in which the
materialization of a risk to your right to data protection, this Agency
wishes to point out that the violation of article 32 of the RGPD, although it was known
as a result of a complaint from an OPENBANK client, it is no less

It is true that the infringement that is verified is not only with respect to that client
but of all OPENBANK clients, since the only possibility
provided to its clients for the sending of the documentation requested under the
Chapter II of the LPBCFT until October 2022 was to send the aforementioned information
through a simple email. And regarding the fact that the
risk to their rights and freedoms, this Agency points out that article 32 of the

GDPR does not require that such a risk materialize, on the contrary, it is about
take appropriate measures to prevent such risk from materializing. Therefore, not
In the present case, it is “a potential infraction that is not punishable by the
data protection regulations”, but it has been found that the measures
adopted for the sending of the documentation requested under Chapter II of the

LPBCFT were not appropriate based on the increased risk that this information
could imply for the rights and freedoms of natural persons.

Finally, OPENBANK wants to clarify what it provided as Document number 9 together
with his brief of allegations to the Startup Agreement (page 654 of the file
administrative), certification issued by the Director of Technology and Operations of

OPENBANK, which literally stated the following:

       “That in accordance with what is defined in the Technological Development Plan of
       Openbank, as of October 13, 2022, the entity has enabled within the area
       private of the web page (access username and password required) a
       space for clients to provide the required documentation in

       compliance with the provisions of article 6 of Law 10/2010, of April 28,
       prevention of money laundering and terrorist financing
       whose text reads like this:
              “Article 6. Continuous monitoring of the business relationship.
              The obligated subjects will apply continuous monitoring measures to the
              business relationship, including scrutiny of operations

              carried out throughout said relationship in order to guarantee that they coincide
              with the knowledge that the obligated subject has of the client and his
              business and risk profile, including source of funds and
              ensure that the documents, data and information available
              are up to date.”


And that the proposed resolution is limited to indicating that OPENBANK does not accredit the
date of making the described procedure available to its clients.

In this regard, this Agency wishes to point out that it is certain that 13 of
October 2022 the possibility that customers can provide the information

required under Chapter II of the LPBCFT through its private area of the
OPENBANK website.

SIXTH.- ABOUT THE VIOLATION OF THE PRINCIPLE OF
PROPORTIONALITY

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 55/77









OPENBANK alleges that the aggravating circumstances for the violation of article 25 of the RGPD and the
Article 32 of the GDPR of the proposed resolution contains almost literally the

same considerations, which, in his opinion, only highlights the
absolute identity of the two conducts imputed to OPENBANK, thus
The non bis in idem principle, already invoked previously, is applicable.

In this regard, this Agency reiterates what has already been stated in its response to the alleged
violation of the non bis in idem principle.


OPENBANK points out that the AEPD considers that the sanction is proportional, given that
is significantly lower than the 885 million euros that constitutes 2% of the
turnover volume of Grupo Santander, to which OPENBANK belongs, in the year
2021. And that for this purpose it invokes the doctrine of the Court of Justice of the European Union

in relation to the consideration of the term “company”, citing various
sentences.

However, OPENBANK considers it necessary to disagree with this consideration, given
that the AEPD has in no way demonstrated at any time during the procedure
that, beyond holding 100% of the share capital of OPENBANK, the Group

Santander plays a decision-making role in OPENBANK's policies and, even less so, that
their actions regarding compliance with data protection regulations
(including conducting data protection impact assessments or
determination of the technical or organizational measures to be adopted in
relation to a certain treatment) proceeds or is even interfered with

minimally by the Santander Group, this power of influence being the determining factor
used by the jurisprudence invoked in the Proposed Resolution so that
It is appropriate to apply the concept of company established in Union law and that,
Therefore, the amount of the penalty can be calculated from the turnover volume
of the Santander Group and not exclusively of OPENBANK.


And in this sense, it is necessary to reiterate that it is up to the AEPD to accredit
that decision-making power, beyond the ownership of the shareholding, without having
no proof of charge has been made in this sense. On the contrary, as it will turn out
evident to the naked eye by simply consulting their websites, the policies of
privacy of OPENBANK and the other companies of the Santander Group are

different, with OPENBANK having a data protection delegate who does not
links maintained with those of the other companies of the Group.

Therefore, it is not possible to carry out the calculation established in the Proposed Resolution and
which, at most, must be carried out on OPENBANK's business volume, for

more than that OPENBANK is a company that is part of the Santander Group.

On the contrary, as will be evident at first glance by simply consulting
their websites, the privacy policies of OPENBANK and the other
Santander Group companies are different, with OPENBANK having a delegate

of data protection that no connection maintains with those of the remaining
Group companies.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 56/77








In this regard, this Agency wishes to remember that, as stated in the “Annual Report
2021” from the Santander Group, Banco Santander S.A. owns 100% of the stake
direct from OPENBANK, as well as 100% of the voting rights in OPENBANK.

Therefore, the decision-making power that Banco Santander S.A. has. about OPENBANK
It is more than decisive, it is absolute. The fact of having policies of
different privacy or a data protection officer without any connection with
those of the remaining companies of the Group would not change this situation either.

In this sense, article 39.1 “Functions of the data protection officer” of the

GDPR states that:

"1. The data protection officer will have at least the following functions:
       a) inform and advise the person responsible or in charge of the treatment and the
       employees who are in charge of the processing of the obligations that they

       are incumbent under this Regulation and other provisions of
       data protection of the Union or the Member States;
       b) supervise compliance with the provisions of this Regulation, in order
       other Union or State data protection provisions
       members and the policies of the controller or processor in
       matters of personal data protection, including the assignment of

       responsibilities, awareness and training of personnel who participate in
       treatment operations, and the corresponding audits;
       c) offer the advice requested about the evaluation of
       impact relating to data protection and monitor its application of
       accordance with article 35;

       d) cooperate with the supervisory authority;
       e) act as a contact point for the supervisory authority for issues
       relating to the treatment, including the prior consultation referred to in the article
       36, and make consultations, where appropriate, on any other matter.”


As can be seen, in none of these functions is there any reference to the fact that the
data protection officer has some type of decision-making power, which is
reserved to the person responsible for processing personal data, logically.

Therefore, this claim is rejected.


OPENBANK alleges that the Proposed Resolution considers that it is not appropriate to take into account
takes into account the measures taken to allow the upload of related documents
with the origin of the funds through the clients' private area, although it does not provide
a single argument in this sense.


And that, however, the AEPD is perfectly aware that such a measure was already
agreed as corrective at the time of carrying out the impact assessment
in the data protection carried out in August 2021 and recorded in the file,
although, as the AEPD knows perfectly well, the implementation processes of
technical measures within the framework of an organization like OPENBANK imply

successive processes that extend over time.

On the contrary, OPENBANK alleges that the proposal does not hesitate to consider that the
The fact that this measure has been adopted must harm or aggravate the conduct of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 57/77








bank, given that, surprisingly, the AEPD understands that this corroborates the lack of
OPENBANK's diligence, which is incomprehensible, given that it would harm the
that adopts a process that is even more guaranteeing than that required for the benefit of those who do not

takes any action in this regard.

In this regard, this Agency wishes to point out that at the beginning of this
sanctioning procedure (August 26, 2022), not even to the signing of the
initial agreement in which the aggravating factors of the violations of the
articles 25 and 32 of the GDPR (October 3, 2022), OPENBANK had not yet

implemented the possibility for clients to provide the requested information in
under Chapter II of the LPBCFT through its private area of the website, the
which was newly enabled as of October 13, 2022, so it cannot be
valued as mitigating. However, this circumstance has been taken into account
account when assessing the duration of the infractions as well as to not impose

measures that OPENBANK must adopt in this regard.

Regarding the fact that having adopted this measure seems to harm the bank, this
Agency wishes to reject such statement. It is not that it harms you but that it is
Agency considers that the fact that in the impact assessment document of
August 2021 the possibility of implementing such a measure would have already been requested,

taking into account the possible high impact that such treatment could have on the
rights and freedoms of natural persons and that it was not until October 2022,
more than a year later, that such possibility was implemented, even though the
implementation processes require certain deadlines, in the opinion of this Agency the
mentioned deadlines have exceeded what is reasonable and has shown a negligent attitude

by OPENBANK in this regard.

Finally, this Agency wishes to highlight that of course this criterion in
any “would harm anyone who adopts a process that is even more guaranteeing than that required in
benefit of those who do not carry out any measure in this sense", but rather

On the contrary, whoever did not adopt any measure in this sense would obviously have a
greater reproach, his attitude would be assessed as even more seriously negligent, the
The duration of the violation would be longer and in addition to the fine, measures would be imposed.
to comply with the provisions of the RGPD.

Regarding the number of people affected by the treatment, OPENBANK alleges that

The Proposed Resolution contains two paragraphs that cannot be considered, in
in no way acceptable on their own terms. In fact, the
The argument made by the AEPD on this point is, in its entirety, the following:

“OPENBANK describes the application of this criterion as “a prioriism lacking

of the slightest foundation.” However, it obeys the purest logic to consider
that a sanction cannot be graduated in the same way when, due to the lack of
With appropriate measures, the treatment potentially affects nearly two million
of clients, as in the present case. If a person were punished in the same way
entity with a small number of interested parties that could be potential

affected than a large company, then the principle of
proportionality.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 58/77








Furthermore, OPENBANK alleges that according to the certificate provided by the bank, the number
of clients impacted by this type of operations, an average of close to 13,000
interested parties in the last two years confirms that the lack of measures

appropriate technical and organizational measures can put a large number of people at risk.
people, most of whom email personal data
relating to his assets without any measure to protect his confidentiality.”

OPENBANK indicates that the most basic arithmetic rule allows us to conclude that it is not
possible to refer, as terms equal or equivalent to two million

clients and 13,000 (in total, and not as an annual average). However, from the reasoning
from the AEPD it seems to be deduced that both terms are equal, given that the reproach
which was incorporated in the Commencement Agreement, which only took into account the potential
affectation of two million clients is maintained in the proposed Resolution that,
However, he seems to consider that 13,000 is the figure that must be taken into account. AND

Keep in mind that the ruling of the National Court of December 23,
2022, already mentioned, denies the AEPD the ability to impose sanctions for
potential breaches of personal data protection regulations,
The doctrine supported in said sentence being perfectly extrapolated to the
present case.


In this regard, this Agency reiterates that in the present case it is not about
“potential breaches of personal data protection regulations” but
that breaches of articles 25 and 32 of the RGPD have taken place, even
when the risks that these articles are intended to avoid have not materialized,
which is the purpose of such regulations.


Regarding the number of people affected, this Agency will take into consideration that the number
of potential affected is the total number of OPENBANK clients (two million
of clients), which are those whom the bank could request to provide the
documentation required under Chapter II of the LPBCFT, while the

The number of interested parties directly affected has been 13,000 clients on average
annually, which would give a total of 65,000 clients, taking into account that there would be 13,000
customers directly affected by year, since May 2018 (when it resulted from
application of the RGPD) to October 2022 (when the possibility of providing the
documentation through the private area of the bank's website), which would be the
clients who OPENBANK has required to provide documentation under

of what is provided for in Chapter II of the LPBCFT, who have not been provided with a
appropriate means for shipment.

Regarding the alleged aggravation of the sanction as a consequence of the alleged
appreciated negligence, and regardless of whether the concurrence of

that in its conduct, OPENBANK alleges that what was stated by the AEPD is
It follows that the existence of fraud or negligence in the actions of a person responsible or
treatment manager must be taken into consideration to aggravate your
responsibility, when in reality this fact cannot simply be considered
aggravating factor, but rather a sine qua non condition to be able to appreciate the concurrence of

responsibility, as an essential element so that it can be subject
of sanctioning reproach for a certain conduct.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 59/77








That is, with the reasoning carried out by the AEPD, the conclusion is reached that
an element that, in any case, must be valued to appreciate the responsibility of
an entity also operates as an aggravating factor. In this way, any violation of

The data protection regulations are aggravated by the fact that
responsibility in the insertion.

In this regard, this Agency wishes to point out that the negligence appreciated in the conduct
of OPENBANK is not the mere negligence required by our legal system,
as a subjective element of the infringement. But it is negligence

especially serious, since every time the company did not carry out an analysis in
conditions of risks to the rights and freedoms of the interested parties, which
could entail sharing the documentation required under the LPBCFT to
through a medium that was not sufficiently secure, nor were security measures adopted.
appropriate security measures to provide an environment that would not jeopardize the

confidentiality of this information, not even when a client (as in the case
specific of the complaining party) requested an alternative means of providing the
required documentation, you were not provided with a response to your concern nor were you provided with
a secure means of communication for this purpose, nor was an adequate course given to such
request that would allow the suitability of the chosen means of communication to be re-evaluated
by the entity to share such information.


OPENBANK also alleges that the Proposed Resolution refers to the nature
of the data being processed as an aggravating circumstance, limiting itself to indicating
that it does not take into consideration the fact that they are qualified
as “financial data”, something that OPENBANK considers distorted. However, at

Regardless of the nature of such data, what cannot be denied is that the AEPD has
considered to have occurred the infractions referred to in the Proposal for
Resolution based on the nature of the data being processed, so
that converts what has been considered an element of the type into a circumstance
aggravating circumstance, thus violating the most basic principles of administrative law

sanctioner.

In this regard, this Agency rejects that in the present case the nature of the data
object of treatment constitute an element of the offending type. The obligation to
adopt data protection from design and by default, as well as the obligation to
have appropriate security measures based on the risk for the

rights and freedoms of natural persons, must be fulfilled regardless of the
nature of the data being processed. What is certain is that in the present
In this case, these are data that deserve special protection, so it is clear
application of the aggravating circumstance detailed in section g) of article 83.2 of the RGPD.


Finally, OPENBANK alleges that the AEPD takes into consideration the business or traffic of the
bank repeatedly to aggravate the amount of the penalty. Thus, (i) the first
of the circumstance is taken into consideration to reinforce the potential impact of
the facts; (ii) at the same time, with respect to negligence, the conduct of the
OPENBANK, understanding that due to its sector of activity, a special

diligence; and (iii) finally, OPENBANK's business or traffic is considered to be
linked to the performance of treatments, which must entail this triple aggravation
derived from this fact. That is, in the opinion of the AEPD when an entity
belonging to the banking sector commits an alleged infraction, his conduct must be

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 60/77








be triply aggravated by the mere fact of what their activity is, which
can hardly be considered in accordance with the principle of proportionality.


In this regard, this Agency wishes to point out that it only considers the turn or traffic of the
bank to aggravate the amount of the sanction with respect to the aggravating factor contemplated in the
article 76.2 of the LOPDGDD, on the linking of the offender's activity with the
processing of personal data, whenever the business activity
OPENBANK requires continuous processing of personal data. However, not
It is less true that in assessing the degree of diligence required, the

also the professionalism of the subject, so when the activity of the person responsible
is “constant and abundant handling of personal data” requires a
greater diligence, in accordance with the provisions of the Court's Judgment
National of 10/17/2007 (Rec. 63/2006).


                                          IV
                          Assessment of the test carried out

The lack of a secure means of sending documentation in the “Protocol of
communications to clients due to AML/FT alerts: OPENING AND MANAGEMENT OF GAPS
March 2021 version”, argued in the initiation agreement, motivated the need

to verify effective compliance with the data protection principles of the
treatment in question, for which it was deemed appropriate to analyze the evaluation of
impact of data protection carried out by OPENBANK.

On the occasion of the allegations to the initiation agreement presented, the

document 4.- “Impact Evaluation - Monitoring of clients and operations
sensitive (version August 2021)”, and document 5.-, “Impact Assessment -
Monitoring of clients and sensitive operations (version October 2022)”, both
documents incorporated into the file of this procedure. However, none
of these documents was in force at the time of the events, since

The request made by OPENBANK to the complaining party occurred on July 7,
2021. Consequently, it was deemed appropriate to open a trial period.

In the document provided by OPENBANK during the trial period, there is no
contemplates in its risk assessment the data collection activity when its
Clients were required to send documentation in compliance with the LPBCFT, as

occurs in the alleged object of this sanctioning procedure.

                                          IV
  Special protection of data provided under Chapter II of the Law
 10/2010, of April 28, on the prevention of money laundering and financing

                               of terrorism (LPBCFT)

The need for special protection of personal data of a nature
financial is a criterion shared with the European Data Protection Committee
(CEPD), which, in compliance with the objective of guaranteeing the coherent application of the

General Data Protection Regulation (as attributed to article 70 of the
GDPR) has developed guidance to provide a clear and
transparent for setting sanctions by supervisory authorities


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 61/77








national laws (Guidelines 04/2022 on the calculation of administrative sanctions under
the GDPR).


In section 4.2.3 of the aforementioned Guidelines, the following is stated (translation not
official):

“Categories of personal data affected
58. Regarding the requirement to take into account the categories of personal data
affected (Article 83(2)(g) GDPR), the GDPR clearly highlights

the types of data that deserve special protection and therefore a response
stricter in terms of fines. This refers, at a minimum, to the data types
covered by articles 9 and 10 of the GDPR, and to data outside the scope of
application of these articles whose dissemination causes immediate harm or distress to the
interested party (e.g. location data, data on private communications,

national identification numbers or financial data, such as summaries of
transactions or credit card numbers).”

For its part, article 32 bis of Law 10/2010, added by art. 3.15 of the Real
Decree-Law 7/2021, of April 27, requires reinforced measures for subjects
obliged to process personal data related to the scope of application

standard:

“… 4. The obligated subjects must carry out an impact evaluation on the
data protection of the treatments referred to in this article in order to
adopt reinforced technical and organizational measures to guarantee the integrity,

confidentiality and availability of personal data. These measures must in
"In any case, guarantee the traceability of data access and communications." (he
emphasis is ours)

In compliance with the LPBCFT, obligated entities can process data

financial, but not only data of this category are also processed
personal of diverse nature: identification, contact or economic
(business, professional, investment...). Data protection in
Compliance with the LPBCFT cannot be limited by the applicable criteria as
only one of these data, when what you are trying to protect is access to the
information that all these personal data represent, not only individually,

but to their joint treatment.

For its part, the “Guidelines on impact assessment relating to the protection of
data (DPIA) and to determine whether the treatment "is likely to entail a high
"risk" for the purposes of Regulation (EU) 2016/679", in what is of interest here they indicate:

“In order to offer a more concrete set of treatment operations that
require a DPIA due to their inherent high risk (…) the
following nine criteria: 1. Evaluation or scoring, including the development of
profiling and prediction, especially of “performance-related aspects.”
at work, economic situation, health, personal preferences or interests,

the reliability or behavior, situation or movements of the interested party»
(considerations 71 and 91). Some examples of this may include an institution
financial institution that investigates its clients in a credit reference database


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 62/77








or in a database against money laundering and terrorist financing
or about fraud…” (emphasis added).


The activity carried out by OPENBANK under the provisions of Chapter II of the
LPBCFT, by which clients are asked to provide the “support that justifies
a certain income, since they will allow clarifying the origin of the funds that
have been entered into the client's account at OPENBANK” is part of
a financial institution that researches its clients in a possible database
against money laundering and terrorist financing, which is why they are

operations that probably involve greater risk.

And so much so, that they are operations that probably entail greater risk,
that the LPBCFT itself considered it convenient to incorporate the need to carry out a
data protection impact assessment of the treatments to which

referred to in said article in order to adopt reinforced technical and organizational measures to
guarantee the integrity, confidentiality and availability of personal data.

For completeness, Chapter 9.2 of the Manual on European legislation on the subject
of data protection, prepared by the European Union Agency for
Fundamental Rights, the Council of Europe, the European Court of Rights

Human and the European Data Protection Supervisor where it refers to the
“financial data”: “Although financial data is not considered data
sensitive under Convention 108 or the General Regulation for the Protection of
data, its processing requires special guarantees that guarantee the accuracy and
data security. In particular, electronic payment systems need

incorporate data protection measures, that is, protection of privacy or
the data from the design and by default.” The mention of privacy protection
Regarding electronic payment systems, the importance of these is highlighted,
but it does not exclude that, in the same way, other financial data may require
special guarantees, as occurs in the present case with the data collected in

by virtue of the provisions of Chapter II of the LPBCFT.

Regarding the Guide on risk management and impact assessment in
personal data processing of the AEPD, there is a difference between three types of
economic data that must be assessed when determining the risk level of a
certain treatment for performing the DPIA, differentiating between these three

data categories:
       • Data related to the “[e]conomic situation, (e.g., without being exhaustive,
       personal income, monthly income, assets (movable/immovable property),
       Employment situation)". These data are assigned a “medium risk.”
       • Data related to the “[f]ancial status (e.g., without being exhaustive, only

       financial maturity, debt capacity, debt level (Loans
       personal property, mortgages), solvency lists, defaults, assets (investment funds)
       sion, returns generated, shares, accounts receivable, income received,
       etc.), liabilities (expenses on food, housing, education, health, taxes,
       payments of loans, credit cards or personal expenses, etc.; or debts u

       obligations)". These data are also assigned a “medium risk.”
       • “Data on payment methods (e.g., without being exhaustive, credit cards and information).
       formation of access to virtual currency services). In the case of these
       data is assigned a “high risk.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 63/77









The documentation requested by OPENBANK pursuant to the provisions of Chapter II
of the LPBCFT, that is, “the documentary support related to the origin of a fund

from your bank account (e.g. your payroll, employment contract, sales contract if
It is a real estate transaction, donation or inheritance, the invoice for the services
provided that are satisfied by the beneficiary of those, the resolution by the
that the receipt of a certain aid is declared, etc.)” contains data
related to the economic situation and financial status of clients,
that allow determining the financial situation or capital solvency of a

person, so they require greater protection.

Information regarding the origin of income in clients' bank accounts
is information that is closely related to such banking movements and
containing data related to the economic situation and financial status of

clients, of which they allow the financial situation or solvency to be determined
assets of a person, which is why they require greater protection.

In summary, all of the above means:

1.- That the personal data requested under Chapter II of the LPBCFT

deserve special protection, due to the greater risk they imply for the
rights and freedoms of natural persons.

2.- That the obligated subjects must carry out a protection impact evaluation
of data for this type of processing, in order to adopt technical measures and

reinforced organizational structures to guarantee the integrity, confidentiality and availability
of personal data.


                                           SAW

                   Data protection by design and by default

Article 25 “Data protection by design and by default” of the GDPR
establishes:

“1.Taking into account the state of the art, the cost of the application and the nature,

scope, context and purposes of the treatment, as well as the risks of varying probability and
seriousness that the treatment entails for the rights and freedoms of people
physical, the person responsible for the treatment will apply, both at the time of determining the
means of treatment such as at the time of the treatment itself, technical measures and
appropriate organizational measures, such as pseudonymization, designed to apply

effective data protection principles, such as data minimization, and
integrate the necessary guarantees in the treatment, in order to meet the requirements of the
this Regulation and protect the rights of the interested parties.

2.The data controller will apply the technical and organizational measures

with a view to ensuring that, by default, they are only processed
the personal data that are necessary for each of the specific purposes of the
treatment. This obligation will apply to the amount of personal data collected, to
the extension of its treatment, its conservation period and its accessibility. Such

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 64/77








measures will in particular ensure that, by default, personal data are not
accessible, without human intervention, to an indeterminate number of people
physical.


3.A certification mechanism approved in accordance with Article 42 may be used
as an element that certifies compliance with the obligations established in the
sections 1 and 2 of this article.”

This article is part of the general obligations that Chapter IV of the

GDPR establishes the controller, imposing a design obligation
at the time of determining the means of treatment, which must guarantee
effectively comply with data protection principles.

In the present case, the lack of design of the treatment by the

of OPENBANK, since the data collection activity of
clients in the so-called “treatment life cycle” of their Excel file
data protection impact assessment document (provided during the
trial period of this procedure) in force at the time of the events
claimed; Therefore, since this activity is not even foreseen, the rules have not been applied.
appropriate technical and organizational measures to effectively apply the

data protection principles (among others, confidentiality) and comply with the
GDPR requirements and protect the rights of data subjects.

Regarding the analyzes carried out by OPENBANK in the documents called
“Impact Assessment - Monitoring of clients and sensitive operations”, in its

August 2021 version, which was not even current at the time of the
events that are the subject of the claim, which took place in the month of July 2021,
it had only been foreseen as a possibility for clients to send information
through an encrypted message sending the password through another channel. And even in
The aforementioned document mentions that “an internal lawsuit has been requested so that

Interested parties can upload documents directly through the
website, once they have logged in.” However, it has been possible
verify that the complaining party was never given that possibility, not even in the
initial communication sent by OPENBANK nor subsequently when it requested a
secure alternative route for sending that communication. It was also found that
In the communication model that was sent to clients, none of

these options, only mention was made of the possibility of replying to the email
email that was sent without giving further instructions on how it could be protected
such information.

It is curious that, despite not providing any sufficiently secure means to its

clients to provide the information to which they were obliged, both documents
in their 2021 and 2022 versions they recognize that the risk inherent in such treatment
It had a high impact on the rights and freedoms of the interested parties.

And, however, it is only in the October 2022 version that OPENBANK indicates

that “customers will identify themselves by means of a DNI and access code to the private area of
customer".



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 65/77








What is certain is that the communication directed to the client complied with the provisions of the
document provided by OPENBANK as a protocol to request documentation
to clients under the LPBCFT and the communication addressed to clients does not

indicated no means of providing that information, beyond the possibility of
respond to the aforementioned email.

In any case, to comply with data protection from the design and therefore
Indeed, it is not enough to simply have a protocol document or
communication model, if later upon reviewing said documents it is found that they do not

A forecast was made in conditions on the technical and organizational measures
appropriate to effectively apply the principles of data protection and
provide the necessary guarantees in the processing in order to comply with the requirements of the RGPD
and protect the rights of the interested parties, as provided in article 25.1 of the
GDPR.


Nor is it sufficient to have documents that establish protocols or procedures.
to follow, if later in practice when carrying out the treatment they are not also provided.
little appropriate measures to implement data protection principles nor are they inter-
great guarantees necessary to comply with the requirements of the GDPR.


In the present case, it has been proven that in the current impact evaluation
At the time of the claimed events, the treatment of
the data provided by clients under the provisions of Chapter II of
the LPBCFT. And that in July 2021 the complaining party was asked to send
finished information, which could have a high impact on their rights and freedom.

des, by email, without giving him further instructions on how he could send
such information through a secure channel.

It has also been proven that the complaining party had told the bank
his concern in this regard and had requested that a safe means be provided

to share such information. But, given the bank's refusal, he had no other option.
tion than sending the requested information through a simple email, to
his displeasure and despite having expressed his reluctance. And even the complaining party
expressly gave that his concern be taken into account and a means be enabled
safe in the future to share this type of information.


However, in the August 2021 documents that OPENBANK provided together with
their allegations to the initial agreement, no other means is foreseen.

From the content of the documentation that appears in the file, it has been proven
do:


    - That in “Annex I - Communications to clients to request information and/or
        documentation by PBC” of the document ““COMMUNICATION PROTOCOL-
        NES TO CUSTOMERS FOR AML/CFT ALERTS: OPENING AND MANAGEMENT OF
        GAPS”, dated March 2021, in the first communication addressed to the

        client, in which he is asked to prove the origin of the funds, there is no provision
        indicate a specific means by which you must provide such information to OPEN-
        BANK. And that in the second communication that is addressed to the client, it is not foreseen
        nor indicate a means by which to provide such documentation to the bank, but

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 66/77








       The text includes the threat that if the documentation is not received
       requested in the next 15 days OPENBANK may prevent the realization
       tion of new income into your accounts.


    - That on July 7, 2021, OPENBANK requested the complaining party to send
       documentation that accredited the origin of certain funds, under the
       threat that in 15 days they could prevent new deposits into your account, without
       indicate any means by which such information should be provided.


    - That on July 10, 2021, the complaining party provided the requested documentation.
       tada expressing his disagreement because when he asked about the form of
       send such information, they told him to do so by email, without
       further. And in this email that is sent, the complaining party indicates that it does not
       considers it a safe means, which is done through this medium because it is

       was forced to do so, and even he himself provides as an example of half-hearted
       I guarantee the possibility of sending it “through the client portal”, a possibility that
       it was not provided to you from OPENBANK. Also please check the
       process from the point of view of data protection and take measures
       timely. However, this email only received an acknowledgment of receipt
       automatic from the bank, on July 13, 2021.


    - In the document “Impact evaluation - Customer and operation monitoring -
       “sensitive information”, dated August 2021, it is expected that the interested party can respond to the
       email with an encrypted message sending the password via
       another channel. And it has been requested that it could be done directly through

       from the website section, once logged in.

    - In the document “Impact evaluation - Customer and operation monitoring -
       sensitive data”, October 2022, it is expected that clients will authenticate
       using your ID and access code to the private client area.


    - In the document “COMMUNICATIONS PROTOCOL TO CUSTOMERS BY
       TRANSACTIONAL MONEY PREVENTION SURVEILLANCE ALERTS
       CAPITAL CHALLENGE AND FINANCING OF TERRORISM (PBC/FT)”, from
       October 2022, it is indicated that clients will be informed to upload the document
       mention through the private area of the OPENBANK website. And in the “Annex

       I- Communications to clients to request information and/or documentation by
       an AML/CFT transactional surveillance alert” the client is instructed to send
       documentation through the “Customer Area” of the OPENBANK website.

That is, the protocol in force at the time of the events (March 2021) does not pre-

provided information on the method of sending the requested documentation.
gives.

In July 2021, the complaining party drew attention to this issue in the email
which he sends on July 10, 2021 to OPENBANK. But the bank ignores it and not even

At any rate, he was given an answer to his concern, which clearly dealt with a question.
protection of personal data, which also shows the lack of a process
OPENBANK's internal system to channel these issues.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 67/77








In August 2021, OPENBANK foresees the possibility for clients to send the reference
documentation through an encrypted email and providing the password.
ña through another email (without specifying which one). And it is indicated that the possibility was requested

that this documentation could be provided through the customer area of the
OPENBANK website.

And it is not until October 2022 that communication protocols and documents
of the supposed impact assessment of this issue specifically incorporate
that clients can provide the requested documentation through the website

of OPENBANK, logging into your client area.

That is, the solution was adopted to be able to provide this information through the
client area a year and a half after the update protocol was adopted.
March 2021 and more than a year after the complaining party had called

drawn attention to this specific issue and that the document of alleged
impact assessment of this issue would have already foreseen it as a possibility
which had to be followed up.

All of this shows that OPENBANK did not apply a data protection approach
of the design neither before nor during the treatment.


In article 25 of the RGPD, the legal good that is protected is compliance with the
GDPR, regarding the obligation to design the treatment in its entirety,
identifying and assessing the risks to the rights and freedoms of the interested parties
the effects of implementing appropriate technical and organizational measures to

effective application of data protection principles, to comply with management
compliance with the GDPR; which has not happened in this case, as there has not even been
evaluated (neither before nor during the treatment) the possibility that the
Clients will submit the information required under Chapter II of the LPBCFT and
How to ensure compliance with the provisions of the GDPR. And you don't even know

responded to the concern raised by the complaining party regarding the protection
of your personal data in this matter. The system did not even have a planned
alarm at any issue that could affect the rights and freedoms of
clients in terms of data protection, this is a procedure that was put
running in the event of any failure of the system itself. On the contrary, the system was limited to
respond with an automatic response, without analyzing the substance of what was raised by the

complaining party and without providing a satisfactory response (that is, without providing
an appropriate means of sharing such information).

Therefore, in the present case, it is not only that the interest was not offered
provided (nor to clients in general) an alternative means for sending documents.

ments requested under Chapter II of the LPBCFT, but rather it is that in
the impact evaluation document in force in July 2021 (document provided
during the testing phase of this sanctioning procedure) it was not even con-
tempered the aforementioned treatment (the sending of such documentation by the clients).
tes). And that only in August 2021 was such treatment incorporated into the evaluation of

impact of customer monitoring, although it was not until October 2022 that it was incorporated
created the possibility for clients to send documentation through the customer service area.
OPENBANK client, a possibility raised by the complaining party already in July
2021 and that the same 2021 document provided as a possibility to be implemented.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 68/77








gives. And this is not even taking into account that the same 2021 impact assessment
considered that the possible impact on the rights and freedoms of the interested parties
he was tall.


In accordance with the evidence available at this time
resolution of sanctioning procedure, it is considered that the known facts are
constituting an infraction, attributable to OPENBANK, due to violation of article
25 of the GDPR.


                                           VII
                 Classification of the violation of article 25 of the GDPR

The aforementioned violation of article 25 of the RGPD implies the commission of the violations
typified in article 83.4 of the RGPD that under the heading “General conditions

for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for

the largest amount:

       a) the obligations of the controller and the processor pursuant to Articles 8,
       11, 25 to 39, 42 and 43; (…)”


For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:

“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a

substantial violation of the articles mentioned therein and, in particular, the
following:
       (…)
       d) The lack of adoption of those technical and organizational measures that
       are appropriate to effectively apply the principles of
       data protection from the design, as well as the non-integration of the

       necessary guarantees in the treatment, in the terms required by the
       article 25 of Regulation (EU) 2016/679. (…)”

                                          VIII
                   Penalty for violation of article 25 of the GDPR


For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence currently available
resolution of the sanctioning procedure, it is considered appropriate to graduate the
sanction to be imposed in accordance with the following criteria established in the article

83.2 of the GDPR:

As aggravating factors:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 69/77








    - The nature, severity and duration of the infraction, taking into account the
       nature, scope or purpose of the processing operation in question
       as well as the number of interested parties affected and the level of damage and
       damages they have suffered (section a): For not having applied certain measures
       appropriate technical and organizational measures, which guarantee the effective application of

       the principles of personal data protection, and integrate the guarantees
       necessary in order to comply with the requirements of the GDPR and protect the rights of
       two million potentially affected customers and 65,000 customers
       directly affected, at least from May 2018 to October 2022.

       Section 54.b.iv of CEPD Guidelines 04/2022 includes, as one of

       the circumstances to be assessed in the graduation of the sanction: “The number of
       specifically interested, but also potentially affected”, and, clarifies
       in relation to this criterion: “The higher the number of interested parties
       involved, the greater weight the control authority may have attributing
       this factor. In many cases it can also be considered that the infringement

       assumes "systematic" connotations and, therefore, can affect, even in
       different times, additional data subjects who have not submitted
       complaints or reports to the supervisory authority. The supervisory authority may, in
       Depending on the circumstances of the case, consider the relationship between the number of
       affected stakeholders and the total number of stakeholders in that context (e.g.
       example, the number of citizens, clients or employees) in order to evaluate

       “if the violation is systemic in nature.”

       - Intentionality or negligence in the infringement (section b):
       OPENBANK has been seriously negligent, since every time the
       company did not carry out a proper analysis on how to properly apply
       effective data protection principles and integrate guarantees

       necessary in sending the documentation requested to clients under
       of the LPBCFT, in order to comply with the requirements of the RGPD and protect the rights
       of the interested parties not even when a client (as in the specific case of
       the complaining party) drew attention to this issue, nor was it given a course
       appropriate to such request that would allow reevaluation of the adequacy of the means of
       communication chosen by the entity to share such information. By the way

       of the degree of diligence that the person responsible for the treatment is obliged to
       deploy in compliance with the obligations imposed by the regulations
       of data protection, the Judgment of the National Court of
       10/17/2007 (Rec. 63/2006). Although it was issued before the GDPR came into force, its
       This statement can be perfectly extrapolated to the case at hand. The
       cited Judgment, after alluding to the fact that the entities in which the development

       of its activity involves continuous processing of customer and third party data
       must observe an adequate level of diligence, stated that “(...) the
       Supreme Court has been understanding that imprudence exists whenever
       disregards a legal duty of care, that is, when the offender fails to comply
       behaves with the required diligence. And in the assessment of the degree of diligence

       The professionalism or not of the subject must be especially considered, and it is not possible
       doubt that, in the case now examined, when the activity of the appellant
       is constant and abundant handling of personal data must
       insist on rigor and exquisite care to comply with preventions
       legal in this regard.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 70/77









       - The categories of personal data affected by the
       infringement (section g): In the present case, it is requested that the origin

       of various amounts received in the interested party's account, which implies a
       greater risk to the rights and freedoms of the data subject, so
       These are data that deserve special protection.

Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures

“corrective measures” of the LOPDGDD:

As an aggravating factor:

    - The linking of the offender's activity with the performance of treatment

       personal data (section b): The development of the business activity that
       OPENBANK performs requires continuous processing of personal data.

The balance of the circumstances contemplated in article 83.2 of the RGPD and 76.2 of
the LOPDGDD, with respect to the infraction committed by violating the provisions of the
article 25 of the RGPD, allows imposing a penalty of €1,500,000 (one and a half million

of euros).

                                           IX
                                 Security measures


Article 32 “Security of processing” of the GDPR establishes:

"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms

physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:

a) pseudonymization and encryption of personal data;


b) the ability to guarantee confidentiality, integrity, availability and resilience
permanent treatment systems and services;

c) the ability to restore the availability and access to personal data of
quickly in case of physical or technical incident;


d) a process of regular verification, evaluation and assessment of the effectiveness of the
technical and organizational measures to guarantee the security of the treatment.

2. When evaluating the adequacy of the security level, particular consideration will be given to

takes into account the risks presented by data processing, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 71/77









3. Adherence to a code of conduct approved pursuant to Article 40 or to a
certification mechanism approved pursuant to article 42 may serve as an element

to demonstrate compliance with the requirements established in section 1 of the
present article.

4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person responsible or in charge and
has access to personal data can only process said data following

instructions of the person responsible, unless it is obliged to do so by virtue of the Law of
the Union or the Member States.

In the present case, neither in the March 2021 protocol nor in the email
sent by OPENBANK to the complaining party on July 7, 2021,

indicated no means of communication for sending the requested documentation
by OPENBANK. The only communication channel for sending documents was
reply to the email itself, since, furthermore, no other one offered the
customer.

In the specific case, OPENBANK did not provide its client with an appropriate means to

provide the documentation even despite the warnings of the complaining party in
this sense, so the shipment was made without adequate security measures.

And this despite the fact that documents 4 and 5 presented by OPENBANK together with its
allegations, called “Impact evaluation - Customer monitoring and

sensitive operations”, version August 2021 and October 2022, respectively, in
section “13. Security” the risk has been classified as high impact. Just in
In the October 2022 version, the following indication has been included on page 43
on “Control and residual risk”: “It has been ensured that the communication channels
with clients as a result of issues related to the prevention of money laundering

and financing of terrorism, you have the necessary technical measures to guarantee
the protection of your personal data. Clients will identify themselves by means of their ID and
access key to the private client area.”

In this sense, email cannot be considered an appropriate medium for
guarantee a level of security appropriate to the risk in the sending of documentation that

contains personal data of those provided under Chapter II of the
LPBCFT, of which require special protection, taking into account the
regulations on the prevention of money laundering, the nature of the data that is
are dealing with and the GDPR.


Regarding email security, the “Good Practices Report” of
May 2021, CNN-CERT BP02, from the National Cryptological Center, a service assigned to the
National Intelligence Center, whose mission is to contribute to the improvement of
Spanish cybersecurity, includes a series of email vulnerabilities and
of the various ways in which they can be attacked, as well as recommendations

of security. Section 4.2 of said Report describes the “Security of
communications via email”, with the following statements on pages 37 to 39:
“The protocol involved in this sending process is SMTP. This protocol has been
used since 1982 and when it was implemented, measures were not taken into account

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 72/77








security measures such as encryption or authentication of communications. This
This means that the entire sending process described above would be carried out in text
plane, that is, at any point in the transmission an attacker could see and

manipulate the content of emails. Due to these shortcomings in SMTP they have gone
developed various technologies and extensions that allow incorporating measures of
security to guarantee authentication, integrity and encryption of communications
via email. Some of the best known technologies are STARTTLS,
SPF, DKIM and DMARC…Although the best-known email providers such as
Google, Yahoo and Outlook encrypt and authenticate emails using this type of

technologies, many organizations continue to make careless use of email
electronic. Also keep in mind that these technologies must be
implemented at both the source and destination so that they can be used.
Likewise, some of these measures are susceptible to attack. For example,
STARTTLS is susceptible to downgrade attacks, where an attacker on a

man-in-the-middle situation may force you not to carry out the negotiation
TLS (replacing the STARTTLS string would suffice).
Even if TLS communication is established successfully,
The mail servers through which the email passes until reaching the destination would have
access to its content. Due to these facts, it follows that it is not enough to
delegate email security to the underlying technologies in charge

to send it to its recipient.”

In light of the security deficiencies noted above, it is evident
the need to adopt reinforced measures to appropriately guarantee the
integrity and confidentiality of personal data sent by email,

when personal data that deserve special protection is communicated, such as
in the present case, measures that have not been applied, which has posed a risk
higher for OPENBANK clients who submit personal data through this
half.


It should be noted that the GDPR does not establish a list of security measures that
are applicable in accordance with the data that is the object of processing, but,
By virtue of the principle of proactive responsibility of article 5.2 of the GDPR itself, the
which entails the requirement that the person responsible for the treatment ensure the effective
privacy and integrity of the data, both the person responsible and the person in charge of the
treatment will apply technical and organizational measures that are appropriate to the risk

that the treatment entails, taking into account the state of the art, the costs of
application, the nature, scope, context and purposes of the processing, the risks of
probability and seriousness for the rights and freedoms of the persons concerned.
Furthermore, the person responsible must be able to demonstrate that he has
implemented these measures and that they are appropriate to achieve the purpose

persecuted

Likewise, security measures must be appropriate and proportionate to the
detected risk, pointing out that the determination of the technical measures and
organizational measures must be carried out taking into account: pseudonymization and encryption,

ability to guarantee confidentiality, integrity, availability and resilience, the
ability to restore availability and access to data after an incident, process
verification (not audit), evaluation and assessment of the effectiveness of the
measures.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 73/77









In any case, when evaluating the adequacy of the security level, the
particularly taking into account the risks presented by data processing, such as
consequence of the accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or

unauthorized access to said data and that could cause damages and losses
physical, material or immaterial.

In this same sense, recital 83 of the GDPR states that:

“(83) In order to maintain security and prevent processing from violating the provisions of

this Regulation, the controller or processor must assess the risks
inherent to the processing and apply measures to mitigate them, such as encryption. Are
measures must ensure an adequate level of security, including the
confidentiality, taking into account the state of the art and the cost of its application
regarding the risks and the nature of the personal data that must be

protect yourself. When assessing risk in relation to data security,
take into account the risks arising from the processing of personal data,
such as accidental or unlawful destruction, loss or alteration of personal data
transmitted, preserved or otherwise processed, or the communication or access is not
authorized to such data, which may in particular cause damage and harm
physical, material or immaterial.”


For all the above, the technical and organizational measures applied by OPENBANK
in the request for information to its clients (and specifically to the complaining party), in
compliance with anti-money laundering regulations, not
guaranteed a level of security appropriate to the risk, as required by article 32
of the RGPD, by virtue of the nature of the personal data that is processed, which

They deserve special protection in terms of their confidentiality and integrity.

Subsidiarily, regarding the application of technical and organizational measures
reinforced to the treatment in question, it can be stated that the fact that a treatment
as a whole is not considered high risk and does not have to undergo a
data protection impact assessment, does not mean that they should not be applied

security measures appropriate to the risk presented by any of the activities or
stages of the treatment in question, in accordance with the provisions of article 32 of the
GDPR.

In the treatment cycle, which includes various and different activities, not all
risk has to be uniform, there may be different levels of risks in the

different stages of treatment, depending on the activities that constitute it. AND
If there is a high risk in a phase, although not all of the treatment is high risk,
Appropriate measures should be implemented.

In accordance with the evidence available at this time

resolution of sanctioning procedure, it is considered that the known facts are
constituting an infraction, attributable to OPENBANK, due to violation of article
32 of the GDPR.

                                          x

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 74/77








                 Classification of the violation of article 32 of the RGPD

The aforementioned violation of article 32 of the RGPD implies the commission of the violations

typified in article 83.4 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the

global total annual business volume of the previous financial year, opting for
the largest amount:

       a) the obligations of the controller and the processor pursuant to Articles 8,
       11, 25 to 39, 42 and 43; (…)”


For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:

“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a

substantial violation of the articles mentioned therein and, in particular, the
following:
       (…)
       f) The lack of adoption of those technical and organizational measures that
       are appropriate to guarantee a level of security adequate to the

       risk of the treatment, in the terms required by article 32.1 of the
       Regulation (EU) 2016/679.

                                          XI
                   Penalty for violation of article 32 of the GDPR


For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence currently available
resolution of the sanctioning procedure, it is considered appropriate to graduate the
sanction to be imposed in accordance with the following criteria established in the article
83.2 of the GDPR:


As aggravating factors:

    - The nature, severity and duration of the infraction, taking into account the
       nature, scope or purpose of the processing operation in question

       as well as the number of interested parties affected and the level of damage and
       damages they have suffered (section a): For not having a means
       appropriate for sending the documentation requested under the
       LPBCFT, from May 2018 to October 2022, directly affecting
       the rights and freedoms of 65,000 interested parties and potentially two

       millions of customers.

       Section 54.b.iv of CEPD Guidelines 04/2022 includes, as one of
       the circumstances to be assessed in the graduation of the sanction: “The number of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 75/77








        specifically interested, but also potentially affected”, and, clarifies
        in relation to this criterion: “The higher the number of interested parties
        involved, the greater weight the control authority may have attributing
        this factor. In many cases it can also be considered that the infringement
        assumes "systematic" connotations and, therefore, can affect, even in

        different times, additional data subjects who have not submitted
        complaints or reports to the supervisory authority. The supervisory authority may, in
        Depending on the circumstances of the case, consider the relationship between the number of
        affected stakeholders and the total number of stakeholders in that context (e.g.
        example, the number of citizens, clients or employees) in order to evaluate
        “if the violation is systemic in nature.”


       - Intentionality or negligence in the infringement (section b): OPEN-
       BANK has been seriously negligent in determining the means of delivery.
       sending the documentation required to clients under the LPBCFT, all
       time the company did not adopt appropriate security measures based on

       of the risk to the rights and freedoms of natural persons, not even
       when a customer (as in the specific case of the complaining party) called the
       attention to this issue, even when its own evaluation document
       impact assessment had indicated the need to adopt the sending of information
       tion requested under the LPBCFT through the private area of the website of the
       bank and had indicated that it was a high-impact treatment for

       rights and freedoms. Regarding the degree of diligence that the person responsible
       ble of the treatment is obliged to deploy in compliance with the obligatory
       imposed by data protection regulations, the Sen-
       ruling of the National Court of 10/17/2007 (Rec. 63/2006). Although it was dictated
       before the GDPR came into force, its pronouncement is perfectly extrapolated.
       ble to the case at hand. The aforementioned Judgment, after alluding to the fact that

       entities in which the development of their activity involves continuous work
       processing of customer and third party data must observe an adequate level of
       diligence, specified that “(...) the Supreme Court has understood that there are
       imprudence whenever a legal duty of care is neglected, i.e.
       when the offender does not behave with the required diligence. And in the assessment
       In the degree of diligence, professionalism or lack of professionalism must be especially considered.

       of the subject, and there is no doubt that, in the case now examined, when the activity
       life of the appellant is one of constant and abundant handling of data of a
       The personnel must insist on rigor and exquisite care in adjusting to the
       legal preventions in this regard.” Due to the high impact that this could have
       for those interested, OPENBANK was obliged to find solutions that
       do not pose a greater risk to the rights and freedoms of their clients and

       that guarantee the security of the data.

       - The categories of personal data affected by the
       infringement (section g): In the present case, it is requested that the origin
       of various amounts received in the account of the interested party, which, by facilitating

       that information without adequate security measures, could increase its
       vulnerability to possible attacks, which implied a greater risk for the
       rights and freedoms of the data subject.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 76/77








Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures
“corrective measures” of the LOPDGDD:


As an aggravating factor:

    - The linking of the offender's activity with the performance of treatment
       personal data (section b): The development of the business activity that
       OPENBANK performs requires continuous processing of personal data.


The balance of the circumstances contemplated in article 83.2 of the RGPD and 76.2 of
the LOPDGDD, with respect to the infraction committed by violating the provisions of the
article 32 of the RGPD, allows imposing a penalty of €1,000,000 (one million
euros).




Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE OPEN BANK, S.A., with NIF A28021079, for the violation of the
article 25 of the RGPD a fine of 1,500,000.00 (ONE MILLION FIVE HUNDRED THOUSAND
EUROS), for the violation of article 32 of the RGPD a fine of 1,000,000.00 (UN
MILLION EUROS), both classified in article 83.4 of the RGPD.


SECOND: NOTIFY this resolution to OPEN BANK, S.A.

THIRD: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the

art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by entering it, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account

restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:
XXXXXXXXXXXX), opened in the name of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A.. Otherwise, it will be
collection in executive period.


Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.


In accordance with the provisions of article 76.4 of the LOPDGDD and given that the
The amount of the sanction imposed is greater than one million euros, it will be subject to


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 77/77








publication in the Official State Gazette of the information that identifies the offender, the
violation committed and the amount of the penalty.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly

contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the

day following the notification of this act, as provided for in article 46.1 of the
referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the

notification of this resolution would terminate the precautionary suspension.

                                                                                 938-010623
Sea Spain Martí
Director of the Spanish Data Protection Agency





















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es