AEPD (Spain) - EXP202105363: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
 
(4 intermediate revisions by the same user not shown)
Line 65: Line 65:
}}
}}


The DPA dismissed an appeal by a bank after finding it lacked a legal basis in granting a credit card, transferring inaccurate debt information to a credit reporter and selling the debt relating to a data subject whose identity was stolen.
The DPA confirmed its previous fine of €70,000 on a bank, finding that it lacked a legal basis to process personal data that was stolen and that the controller was negligent in verifying the identity of the data subject for a credit application.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 24 November 2021, a data subject filed a complaint with the Spanish DPA (AEPD) after she attempted to obtain a loan from Caixabank Payments & Consumer EFC, EP, S.A.U. (the controller) but was denied because credit reporters noted a debt related to an application for an Ikea credit card, which is credited by the controller. However, the data subject was a victim of identity theft -- she did not contract for an Ikea credit card at any point and the contract supposedly executed for the card in fact contained personal data (phone number, email address, home address, bank account, business name and signature) that did not correspond to her.  
On 24 November 2021, a data subject filed a complaint with the Spanish DPA (AEPD) after she attempted to obtain a loan from Caixabank Payments & Consumer EFC, EP, S.A.U. (the controller) but was denied because credit reporters noted a debt related to an application for an Ikea credit card, which is credited by the controller. However, the data subject was a victim of identity theft -- she did not contract for an Ikea credit card and the contract supposedly executed for the card in fact contained personal data (phone number, email address, home address, bank account, business name and signature) that did not correspond to her.  


Ikea Ibérica, S.A. provides documentation for applying for credit at the request of its customers. The contract and processing of the data is instructed by the controller, which acts as the creditor and ultimately processes the data subject’s personal data. The Ikea credit card at issue in this case was activated by an Ikea vendor on 13 January 2020. By June of 2020, the debt on the card amounted to 690.25 EURO. The debt was recorded with ASNEF, a credit reporter. The debt was then discharged by the controller and sold to Kruk España S.L. as part of a package of debts, who later sold it to InvestCapital, Ltd.   
Ikea Ibérica, S.A. provides documentation for applying for credit at the request of its customers. The contract and processing of the data is instructed by the controller, which acts as the creditor and ultimately processes the data subject’s personal data. The Ikea credit card at issue in this case was activated by an Ikea vendor on 13 January 2020. By June of 2020, the debt on the card amounted to €690.25. The debt was recorded with ASNEF, a credit default reporter. The debt was then discharged by the controller and sold to Kruk España S.L. as part of a debt portfolio, who later sold it to InvestCapital, Ltd.   


On 14 December 2023, the AEPD issued a decision finding that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]] when it processed the data subject’s personal data without any legal basis and issued a fine of €70,000. It noted that the processing began with the fraudulent contracting of the Ikea credit card, which it assigned to the data subject, continued with the transfer of the data subject’s personal data to ASNEF as part of a credit report for a debt that did not correspond to her, and ended with the sale of the debt to Kruk. The AEPD rejected the applicability of Article 20 LOPDGDD (Spain’s national implementation of the GDPR), which articulates a presumption of legal basis where data refers to debts which are certain, due and payable, because the debt in this case did not correspond to the data subject and thus did not meet these requirements. The AEPD also rejected the applicability of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] as a legal basis because the controller did not establish that its legitimate interests prevailed over the rights and interests of the data subject. The AEPD also rejected the controller’s attempts to pass culpability onto KRUK and InvestCapital, noting that they acquired a package of debts from the controller and relied on the appearance of the accuracy of the assigned credits. Thus, their obtaining of the debt could not constitute a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]].  
On 14 December 2023, the AEPD issued a decision finding that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]] when it processed the data subject’s personal data without any legal basis and issued a fine of €70,000. It noted that the controller's processing began with the fraudulent contracting of the Ikea credit card which it assigned to the data subject, continued with the transfer of the data subject’s personal data to ASNEF as part of a credit report for a debt that did not correspond to her, and ended with the sale of the debt to Kruk. The AEPD rejected the applicability of [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Article 20 LOPDGDD] (Spain’s national implementation of the GDPR), which articulates a presumption of legal basis where data refers to debts which are certain, due and payable, because the debt in this case did not correspond to the data subject and thus did not meet these requirements. The AEPD also dismissed the applicability of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] as a legal basis because the controller did not establish that its legitimate interests prevailed over the rights and interests of the data subject. Finally, the AEPD rejected the controller’s attempts to pass culpability onto KRUK and InvestCapital, noting that they acquired a debt portfolio from the controller and relied on the appearance of the accuracy of the assigned credits. Thus, their obtaining of the debt could not constitute a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]].  


On 14 November 2023, the controller filed an internal appeal with the AEPD. It restated the arguments it made in response to the initial complaint. It also raised arguments of non bis in idem and absence of guilt, claiming that at the time of the debt’s transfer it had no knowledge of the fraudulent use of the claimant’s data and thus could not bear responsibility for the theft.
On 14 November 2023, the controller filed an internal appeal with the AEPD. It restated the arguments it made in response to the initial complaint. It also raised arguments of non bis in idem and absence of guilt, claiming that at the time of the debt’s transfer it had no knowledge of the fraudulent use of the claimant’s data and thus could not bear responsibility for the theft.
Line 81: Line 81:
The AEPD dismissed the appeal and upheld its finding of an Article 6(1) GDPR violation and €70,000 fine.  
The AEPD dismissed the appeal and upheld its finding of an Article 6(1) GDPR violation and €70,000 fine.  


It reiterated that because the debt in this case did not correspond to the claimant, it was not certain, due or payable, meaning that the presumption of legality provided in Article 20 LOPGDGDD cannot apply in this case. Legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] is also not a valid legal basis in this case, as there is no evidence that the controller considered the balance between its legitimate interests and the rights and interests of the data subject.  
It reiterated that because the debt in this case did not correspond to the claimant, it was not certain, due or payable, meaning that the presumption of legality provided in [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Article 20 LOPGDGDD] cannot apply in this case. Legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] is also not a valid legal basis in this case, as there is no evidence that the controller considered the balance between its legitimate interests and the rights and interests of the data subject.  


The AEPD also emphasised that the data subject’s data continued to be processed without legal basis until its effective deletion. It rejected the controller’s arguments that it deleted the data as soon as it became aware of an alleged fraud or forgery, noting that in fact the data was removed from the controller’s systems as a result of the sale of the debt, not as a result of a deletion request.  
The AEPD emphasised that the data subject’s data continued to be processed without legal basis until its effective deletion. It rejected the controller’s arguments that it deleted the data as soon as it became aware of an alleged fraud or forgery, noting that in fact the data was removed from the controller’s systems as a result of the sale of the debt, not as a result of a deletion request.  


The AEPD rejected the controller’s argument that none could be sanctioned without fault, noting that the controller was indeed at fault. It considered that the controller was negligent in failing to carry out appropriate verifications of the contracting data subject’s identity. Indeed, in this case, the majority of the information provided by the identity thief was in fact false. The AEPD found that none of the measures adopted to verify accuracy of the information provided aimed at verifying the data subject’s identity. Instead, the focus was on ensuring the loan would go to an existing bank account – whosoever’s that may be.  The AEPD clarified that this does not mean that a controller is responsible for preventing an illegal or criminal act such as identity theft from occurring. However, where it is a necessary diligence for the controller to comply with its obligations concerning protections of personal data, both with regard to the requirement of consent as well as the principle of truthfulness and accuracy of data, then a controller must implement measures aimed at verifying that the person the controller is contracting with is in fact the holder of the identity documentation provided.
The AEPD rejected the controller’s argument that none could be sanctioned without fault, finding that the controller was at fault in this case. It considered the controller negligent in failing to carry out an appropriate verification of the contracting data subject’s identity. Indeed, in this case, the majority of the information provided by the identity thief was false and not attributable to the data subject. The AEPD found that none of the measures adopted to verify accuracy of the information provided were aimed at verifying the data subject’s identity. Instead, the controller's focus was on ensuring the loan would go to an existing bank account – whosoever’s that may be.  The AEPD clarified that this does not mean that a controller is responsible for preventing an illegal or criminal act such as identity theft from occurring. However, where it is a necessary diligence for the controller to comply with its obligations concerning protections of personal data, both with regard to the requirement of consent as well as the principle of truthfulness and accuracy of data, then a controller must implement measures aimed at verifying that the person the controller is contracting with is in fact the holder of the identity documentation provided.


Finally, the AEPD reiterated that the fault in this case lay with the controller and not with any of the debt buyers because they purchased the data as an acquirer in ‘good faith’ and thus cannot be found to have violated [[Article 6 GDPR#1|Article 6(1) GDPR]].
Finally, the AEPD reiterated that the fault in this case lay with the controller and not with any of the debt buyers because they purchased the data as an acquirer in ‘good faith’ and thus cannot be found to have violated [[Article 6 GDPR#1|Article 6(1) GDPR]].

Latest revision as of 14:32, 15 May 2024

AEPD - EXP202105363
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 6(1)(f) GDPR
Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas
Type: Other
Outcome: n/a
Started: 24.11.2021
Decided: 06.05.2024
Published:
Fine: 70,000
Parties: Caixabank Payments & Consumer EFC, EP, S.A.U.
National Case Number/Name: EXP202105363
European Case Law Identifier: n/a
Appeal: Appealed - Confirmed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA confirmed its previous fine of €70,000 on a bank, finding that it lacked a legal basis to process personal data that was stolen and that the controller was negligent in verifying the identity of the data subject for a credit application.

English Summary

Facts

On 24 November 2021, a data subject filed a complaint with the Spanish DPA (AEPD) after she attempted to obtain a loan from Caixabank Payments & Consumer EFC, EP, S.A.U. (the controller) but was denied because credit reporters noted a debt related to an application for an Ikea credit card, which is credited by the controller. However, the data subject was a victim of identity theft -- she did not contract for an Ikea credit card and the contract supposedly executed for the card in fact contained personal data (phone number, email address, home address, bank account, business name and signature) that did not correspond to her.

Ikea Ibérica, S.A. provides documentation for applying for credit at the request of its customers. The contract and processing of the data is instructed by the controller, which acts as the creditor and ultimately processes the data subject’s personal data. The Ikea credit card at issue in this case was activated by an Ikea vendor on 13 January 2020. By June of 2020, the debt on the card amounted to €690.25. The debt was recorded with ASNEF, a credit default reporter. The debt was then discharged by the controller and sold to Kruk España S.L. as part of a debt portfolio, who later sold it to InvestCapital, Ltd.

On 14 December 2023, the AEPD issued a decision finding that the controller violated Article 6(1) GDPR when it processed the data subject’s personal data without any legal basis and issued a fine of €70,000. It noted that the controller's processing began with the fraudulent contracting of the Ikea credit card which it assigned to the data subject, continued with the transfer of the data subject’s personal data to ASNEF as part of a credit report for a debt that did not correspond to her, and ended with the sale of the debt to Kruk. The AEPD rejected the applicability of Article 20 LOPDGDD (Spain’s national implementation of the GDPR), which articulates a presumption of legal basis where data refers to debts which are certain, due and payable, because the debt in this case did not correspond to the data subject and thus did not meet these requirements. The AEPD also dismissed the applicability of Article 6(1)(f) GDPR as a legal basis because the controller did not establish that its legitimate interests prevailed over the rights and interests of the data subject. Finally, the AEPD rejected the controller’s attempts to pass culpability onto KRUK and InvestCapital, noting that they acquired a debt portfolio from the controller and relied on the appearance of the accuracy of the assigned credits. Thus, their obtaining of the debt could not constitute a violation of Article 6(1) GDPR.

On 14 November 2023, the controller filed an internal appeal with the AEPD. It restated the arguments it made in response to the initial complaint. It also raised arguments of non bis in idem and absence of guilt, claiming that at the time of the debt’s transfer it had no knowledge of the fraudulent use of the claimant’s data and thus could not bear responsibility for the theft.

Holding

The AEPD dismissed the appeal and upheld its finding of an Article 6(1) GDPR violation and €70,000 fine.

It reiterated that because the debt in this case did not correspond to the claimant, it was not certain, due or payable, meaning that the presumption of legality provided in Article 20 LOPGDGDD cannot apply in this case. Legitimate interest under Article 6(1)(f) GDPR is also not a valid legal basis in this case, as there is no evidence that the controller considered the balance between its legitimate interests and the rights and interests of the data subject.

The AEPD emphasised that the data subject’s data continued to be processed without legal basis until its effective deletion. It rejected the controller’s arguments that it deleted the data as soon as it became aware of an alleged fraud or forgery, noting that in fact the data was removed from the controller’s systems as a result of the sale of the debt, not as a result of a deletion request.

The AEPD rejected the controller’s argument that none could be sanctioned without fault, finding that the controller was at fault in this case. It considered the controller negligent in failing to carry out an appropriate verification of the contracting data subject’s identity. Indeed, in this case, the majority of the information provided by the identity thief was false and not attributable to the data subject. The AEPD found that none of the measures adopted to verify accuracy of the information provided were aimed at verifying the data subject’s identity. Instead, the controller's focus was on ensuring the loan would go to an existing bank account – whosoever’s that may be. The AEPD clarified that this does not mean that a controller is responsible for preventing an illegal or criminal act such as identity theft from occurring. However, where it is a necessary diligence for the controller to comply with its obligations concerning protections of personal data, both with regard to the requirement of consent as well as the principle of truthfulness and accuracy of data, then a controller must implement measures aimed at verifying that the person the controller is contracting with is in fact the holder of the identity documentation provided.

Finally, the AEPD reiterated that the fault in this case lay with the controller and not with any of the debt buyers because they purchased the data as an acquirer in ‘good faith’ and thus cannot be found to have violated Article 6(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/31












     File no.: EXP202105363

                   RESOLUTION OF REPLACEMENT APPEAL

Examined the appeal for reconsideration filed by CAIXABANK PAYMENTS &

CONSUMER EFC, EP, S.A.U. (hereinafter referred to as the appellant) against the resolution
dictated by the Director of the Spanish Data Protection Agency dated
11/13/2023, and based on the following



                                       FACTS

FIRST: On 11/13/2023, a resolution was issued by the Director of the Agency
Spanish Data Protection in file EXP202105363, by virtue of the
which was imposed on CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U., for (…)

violation of article 6.1 of the RGPD, typified in article 83.5.a) of the RGPD, a
penalty of 70,000 euros (seventy thousand euros).

Said resolution, which was notified to the appellant on 11/14/2023, was
dictated prior to the processing of the corresponding sanctioning procedure,

in accordance with the provisions of Organic Law 3/2018, of December 5, of
Protection of Personal Data and guarantee of digital rights (LOPDGDD), and
additionally in Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), in matters of
processing of sanctioning procedures.


SECOND: As proven facts of the aforementioned sanctioning procedure,
PS/00603/2022, the following were recorded:

FIRST. On 11/24/2021, the claimant's letter was entered into the AEPD.
expressing his surprise when when he goes to apply for a loan he is denied because

Your personal data appears in common credit information systems
Asnef and Badexcug, at the request of the defendant, as a consequence of a debt
related to an Ikea credit card linked to the claimed entity.
SECOND. A copy of the claimant's DNI is provided.
THIRD. Ikea credit application-contract number ***NUMBER.1, of

01/13/2020, subscribed through the establishment lkea Iberica, S.A., ***ADDRESS.1;
The personal data of the claimant appears: name and surname, address,
DNI number, date of birth, sex, marital status; data is also included
professionals. The signature that appears does not match that of the claimant.
ROOM. The complaint made by the claimant before the Command of the
Civil Guard in Pinto (Madrid), extension of the one carried out in Puente de Vallecas before

the Commissioner of the National Police motivated by the facts claimed and in which
The defendants also state that the Ikea card contract, the mobile number,
email account, address, bank account number, name of
The company and the signature that appears in the aforementioned contract do not correspond to it.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/31








FIFTH. There is evidence provided by the claimed “detail of the file that was sent to
ASNEF, on June 29, 2020” that “The next day, he was discharged
effective in ASNEF; Therefore, the discharge took place on June 30, 2020.
The claimant's data was included in the weekly files that were sent
to ASNEF until August 8, 2020.”

SIXTH. A copy of the payment requirements, dates
06/13/2020 and 06/21/2020, which were sent to the claimant by the claimant in
relation to the existing debt, as a prior step to the inclusion of your personal data
in the ASNEF file.
SEVENTH. The respondent in writing dated 12/31/2021 has stated that “Therefore,
As stated previously, CaixaBank Payments & Consumer,

as soon as he became aware of alleged fraud/forgery in the procurement,
proceeded to delete/block the personal data of the interested party,
proceeding, likewise, to immediately cancel it in the security systems.
credit information”.
However, the respondent in writing dated 06/14/2022 has indicated that “The previous

statement was erroneous since the data of the affected party and claimant, referring to the
credit contract with Ikea Visa card mentioned above, had been given
deregistration from credit information systems on August 11, 2021, as
consequence of the aforementioned purchase and sale contract and assignment of credits dated
July 29, 2021.”
EIGHTH. It is clear that CaixaBank Payments & Consumer and the company InvestCapital

Ltd. (assignee), formalized the contract by elevating it to a public deed granted before the
notary of Madrid Don A.A.A., on 09/16/2021 the assignment of certain credits between
in which the debt derived from the credit agreement with the Ikea Visa card of
date 01/13/2020.
NINETH. On 02/08/2022, the claimant sent an email to the
CPC Customer Service, subject: identity theft and in which it stated:

“I am contacting you because a few months ago I had a problem with
your identity for a debt that you claimed in my name, this being a
a demonstrable identity theft. Someone applied for an IKEA credit card
using my name and ID, the contract request number is ***NUMBER.1, with
That card withdrew money and that debt was claimed from me. After this event I put a
complaint for identity theft and a claim to the AEPD. After

several procedures, in the end my name was removed from the list of Equifax defaulters.
Today another debt collection company has tried to contact
with me and demanding said payment for a card, which I repeat, I did not request and
They acquired it with my name and ID. This company is called KRUK ESPAÑA S.L.U and already
Not only is he asking me for a fee that does not correspond to me, but even so
harasses people around me to request my information when that is not allowed.

The reference number is (...).
Please, I request that my identity be removed from KRUK ESPAÑA so stop
claim a debt that does not belong to me, and if my identity belongs to anyone
other
collection company I also request that it be removed, since this matter is bothering me

causing many personal and work injuries.
Below, I attach the complaint and the claim made at the time."
On 2/10/2022, the claimant sent the defendant's Customer Service e-mail
email, Subject: [EXTERNAL] REQUEST FOR PROOF OF DEBT (URGENT),
indicating:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/31








“Due to previous identity theft issues regarding the request for a
credit card without my consent or permission, Caixabank Payment&Consumer
He claimed a debt from me that today has already been resolved and eliminated. Therefore, I

I would like to have a letter from Caixabank Payment&Consumer where
Please note that my person, B.B.B. with DNI ***NIF.1 does not have any unpaid debt or
pending with you.
I attach my ID below.”
Which caused a series of cross emails sent from the account:
***EMAIL.1

for ***EMAIL.2
Subject: REQUEST FOR PROOF OF DEBT (URGENT): Re: RV: [EXTERNAL]
IDENTITY FRAUD

In the penultimate of which, dated 05/17/2022, the following appears:


(…)
Please, we need to respond to the complaint that was communicated to you ago.
a few days from the Wallet Sales mailbox.
Could you tell us if you have carried out any action regarding this file?
to be coordinated?

We would need a response between today and tomorrow to be able to respond within the deadline.
(…)”

And on that same date the response email appears:


From: ***EMAIL.3
Sent on: Tuesday, May 17, 2022 12:11
For: (…)
CC: (…)
Subject: RE: [External Mail] RE: Rv: REQUEST FOR PROOF OF DEBT

(URGENT): Re: RV: [EXTERNAL] IDENTITY PHYSING

“(…)
As I conveyed to you this morning, the actions that have taken place in relation to
The file (…), Ms. B.B.B., proceeds as follows:
• On February 3 and 8, 2022, the client contacted us by email

requesting that it be removed from the delinquency file and informing that the present debt
is due to identity theft and that he has gone to file a complaint with
the commissioner and the AEPD. On those dates we proceeded to give you a response requesting
send us the fraud report to be able to paralyze the recovery actions.
• On March 16, 2022, you provided us with the client's email address at

where you request documentation and information about the case, attaching a fraud report.
We responded to the client on 03/09/2022 with said information and
documentation of the case and we indicate that the recovery actions are paralyzed, to the
Waiting for the court ruling to confirm the fact that you have suffered fraud.
• Therefore, as of today, the file is paralyzed due to alleged fraud.

awaiting sentencing.
• Finally, on 04/28/2022 we received a burofax with a claim from the AEPD,
which we have notified our DPO so that he can manage it.
(…)”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/31








TENTH. The graphological image of the signature of the applicant for the
Ikea card that does not match the complainant's signature.
ELEVENTH. Ikea in writing dated 01/07/2021 stated that “…the
functions of IKEA and IKEA staff are limited to the fulfillment of the function of
assistant to “CAIXABANK P&C” for the administrative processing of documentation

regarding applications for financing”
(…)
For these purposes, and as can be seen in the documentation on file
file, specifically in the aforementioned, application-credit contract, the entity
responsible for contracting the credit and, where applicable, the entity responsible for the
processing of personal data of clients who request financing is

CAIXABANK P&C.
In this sense, we must point out that there is a framework collaboration agreement between
CAIXABANK and IKEA held on December 16, 2020 by which:
IKEA will process the personal data to which it has access as Processor.
Treatment only in accordance with the instructions of CAIXABANK PAYMENTS &

CONSUMER. These instructions include the following tasks:
• Assistance in the administrative processing of documentation related to the
applications for financing and subscription to insurance offered by CAIXABANK
PAYMENTS & CONSUMER consisting of:
• The delivery of the pre-contractual information required by credit regulations to the
consumption

• The management of the paper documentation necessary for the formalization of the
financing request and its digitalization for sending to the Responsible for the
treatment through this equipment.”
(…)“
TWELFTH. CGI in relation to the CPC SHIPPING CERTIFICATE matter,
has stated in writing dated 03/01/2023:

That the letter dated 06/21/2020, a copy of which is attached, was generated with the
information provided by the claimed party..., for printing (File: (...); Envelope:
XXXX) and subsequent making available to the postal distributor who was in charge of its
shipping to address:
***ADDRESS.2


Once the established process has been carried out and since it has been made available in
CORREOS, it is clear that there has been no incident and no refund of any
said letter to date.”
THIRTEENTH. In the computer systems of the defendant there are registered
the claimant's data: name and surname, address, DNI number, mobile number, address
email, bank account number, date of birth, length of service

company, monthly income (figure without payroll), etc.
FOURTEENTH. In relation to the account provided by the contracting party ING BANK
NV SUCURSAL IN SPAIN in writing dated 07/23/2023 has indicated that “The account
***ACCOUNTA.1 was hired over the telephone by Mrs. C.C.C. on date 06
September 2018. ING sent a courier to your postal address to verify the

identity of the owner and to deliver the “Welcome Pack” that contained the Conditions
particular contracts for the opening of the aforementioned Payroll account, as
as shown in the following screenshot (…) The ratification of the contract was
received by ING on September 20, 2018. The Particular Conditions of
hiring of a Payroll Account and the delivery note are attached…”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/31








FIFTEENTH. In relation to the address provided by the contracting party, the
Madrid City Council, Cartography Department, Street Map Technical Unit,
In writing dated 08/07/2023, he stated that “Currently there are no roads in the

municipal street map of the city of Madrid with the name of Street (...) and therefore
nor is number 75 on this road.”
SIXTEENTH. The respondent in writing dated 03/14/2023 has confirmed the
impersonation of the claimant stating that “only the use of a system
created with the intention of defrauding the Entity, prevented it from detecting the
falsification of the documentation delivered by the credit applicant, who, in his or her

case, supplanted the personality of today's claimant, causing the events that
motivated, at the time, the claim presented by it before that Agency and the
opening of these proceedings.”

THIRD: The appellant has presented on 12/14/2023, in this Agency

Spanish Data Protection, appeal for reconsideration substantiating it,
basically, in the allegations made during the procedure and, furthermore, their
disagreement with the resolution issued since the debt that accessed the file was
certain due and due for non-payment, being required for payment; that when
assigned the debt, there was no knowledge of the fraudulent use of the data of the
claimant by third party and that responsibility cannot be placed on the

claimed identity theft; violation of the non bis in idem principle
and the absence of guilt of the defendant.


                           FOUNDATIONS OF LAW


                                        Yo
       The Director of the Agency is competent to resolve this appeal.
Spanish Data Protection, in accordance with the provisions of article 123
of Law 39/2015, of October 1, on the Common Administrative Procedure of the

Public Administrations (hereinafter LPACAP) and article 48.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD).

                                        II

       In relation to the statements made by the appellant,
basically reiterating the allegations already presented throughout the
sanctioning procedure, it should be noted that all of them have already been analyzed and
rejected in the Fundamentals of Law II to VII, of the appealed Resolution, as
as transcribed below:


                                          “II
       The reported facts materialize in the inclusion of the data of
personal character of the claimant in common credit information systems
instances of the defendant, in relation to a debt related to the request for a
IKEA credit card linked to the defendant, which the claimant states does not

have subscribed, as well as the assignment of the debt to the company InvestCapital Ltd., who
In turn, I include the data in delinquency files.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/31








       The RGPD in its article 5 establishes the principles that must govern the
processing of personal data, and in section 1 it states that:


       "1. The personal data will be:

       a) treated in a lawful, loyal and transparent manner with the interested party (<<legality,
loyalty and transparency>>).
       (…)”


       And in section 2, it establishes that:

       "2. The person responsible for the treatment will be responsible for compliance with the
provided in section 1 and capable of demonstrating it (<<proactive responsibility>>).”


       On the other hand, article 6, Lawfulness of processing, of the RGPD in section 1,
states that:

       "1. Treatment will only be legal if at least one of the following is met
conditions:


       a) the interested party gave his consent for the processing of his data
       personal for one or more specific purposes;
       b) the processing is necessary for the performance of a contract in which the
       interested party is part or for the application at his request of measures
       pre-contractual;

       c) the processing is necessary for compliance with a legal obligation
       applicable to the data controller;
       d) the processing is necessary to protect the vital interests of the interested party or
       from another natural person;
       e) the processing is necessary for the fulfillment of a mission carried out in

       public interest or in the exercise of public powers conferred on the person responsible
       of the treatment;
       f) the processing is necessary for the satisfaction of legitimate interests
       pursued by the person responsible for the treatment or by a third party, provided that
       The interests or rights and freedoms do not prevail over said interests.
       fundamentals of the interested party that require the protection of personal data,

       particularly when the interested party is a child.

       The provisions of letter f) of the first paragraph will not apply to the
processing carried out by public authorities in the exercise of their functions.


       On the other hand, article 4 of the RGPD, Definitions, in sections 1, 2 and 11,
notes that:

       “1) “personal data”: any information about an identified natural person
or identifiable ("the interested party"); Any identifiable natural person will be considered

person whose identity can be determined, directly or indirectly, in particular
by means of an identifier, such as a name, an identification number,
location data, an online identifier or one or more elements of the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/31








physical, physiological, genetic, mental, economic, cultural or social identity of said
person;

       “2) “treatment”: any operation or set of operations performed
on personal data or sets of personal data, whether by procedures

automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction;

       “11) “consent of the interested party”: any manifestation of free will,

specific, informed and unequivocal by which the interested party accepts, either through
a statement or a clear affirmative action, the processing of personal data that
concern him.”

       And article 20 of the LOPDGDD, Credit information systems, establishes

that:

       "1. Unless proven otherwise, data processing will be presumed lawful.
personal data relating to non-compliance with monetary, financial or legal obligations.
credit through common credit information systems when the
following requirements:


       a) That the data have been provided by the creditor or by someone acting on their behalf.
       account or interest.
       b) That the data refer to certain debts, due and payable, whose
       existence or amount had not been the subject of an administrative claim or
       judicial by the debtor or through an alternative dispute resolution procedure

       binding disputes between the parties.
       c) That the creditor has informed the affected party in the contract or at the time
       to require payment regarding the possibility of inclusion in said systems,
       with indication of those in which it participates.
       The entity that maintains the credit information system with data
       relating to non-compliance with monetary, financial or credit obligations

       must notify the affected party of the inclusion of such data and inform them about the
       possibility of exercising the rights established in articles 15 to 22 of the
       Regulation (EU) 2016/679 within thirty days following the
       notification of the debt to the system, the data remaining blocked
       during that period.
       d) That the data is only kept in the system as long as the data persists.

       non-compliance, with a maximum limit of five years from the date of
       expiration of the monetary, financial or credit obligation.
       e) That the data referring to a specific debtor can only be
       consulted when whoever consults the system maintains a relationship
       contractual with the affected party that involves the payment of a pecuniary amount or

       he would have requested the execution of a contract that entails
       financing, deferred payment or periodic billing, as happens, among others
       assumptions, in those provided for in the legislation of consumer credit contracts
       and real estate credit contracts.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 8/31








       When the right to limit the amount of money has been exercised before the system
       processing of the data challenging its accuracy in accordance with the provisions of the
       article 18.1.a) of Regulation (EU) 2016/679, the system will inform those who

       could consult it in accordance with the previous paragraph about the mere
       existence of said circumstance, without providing specific data regarding
       those in which the right had been exercised, while the request is resolved
       of the affected person.
       f) That, in the event that the request to conclude the contract is denied,
       or this will not be held, as a consequence of the consultation carried out,

       whoever consulted the system informs the affected person of the result of said
       consultation.

       2. The entities that maintain the system and the creditors, with respect to the
processing of data referring to their debtors, will have the status of

co-responsible for the processing of the data, the provisions established by
Article 26 of Regulation (EU) 2016/679.

       It will be up to the creditor to guarantee that the required requirements are met.
for inclusion in the debt system, responding for its non-existence or
inaccuracy.


       3. The presumption referred to in section 1 of this article does not cover
the cases in which the credit information was associated by the entity that
maintain the system with information additional to that contemplated in said
section, related to the debtor and obtained from other sources, in order to carry out

outlining it, in particular through the application of techniques of
credit rating”.


                                               III

       Article 58 of the GDPR, Powers, states:

       "2. Each supervisory authority will have all of the following powers
corrective measures indicated below:

       (…)

       d) order the person responsible or in charge of the treatment that the operations of
       treatment comply with the provisions of this Regulation, when
       appropriate, in a certain manner and within a specified period;
       (…)
       i) impose an administrative fine in accordance with Article 83, in addition to or in

       instead of the measures mentioned in this section, according to the
       circumstances of each particular case;
       (…)”



                                           IV
       The infraction attributed to the person complained of is classified in the
article 83.5 a) of the GDPR, which considers that the violation of “the basic principles
for the treatment, including the conditions for consent under the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/31








articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned
article 83 of the aforementioned Regulation, “with administrative fines of €20,000,000 as
maximum or, in the case of a company, an amount equivalent to 4% as

maximum of the total global annual turnover of the previous financial year,
opting for the highest amount.”

       The LOPDGDD in its article 71, Infractions, states that: “They constitute
infractions the acts and conduct referred to in sections 4, 5 and 6 of the
article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the

present organic law.”

       And in its article 72, it considers for the purposes of prescription, which are: “Infringements
considered very serious:


       1. Based on what is established in article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
involve a substantial violation of the articles mentioned therein and, in
in particular, the following:

       (…)

       b) The processing of personal data without any of the
       conditions of legality of the treatment established in article 6 of the
       Regulation (EU) 2016/679.
       (…)


                                              V
       1. It should be noted that data processing requires the existence of a
legal basis that legitimizes it.

       In accordance with article 6.1 of the GDPR, in addition to consent,

There are other possible bases that legitimize the processing of data without the need for
have the authorization of its owner, in particular, when necessary for the
execution of a contract to which the affected party is a party or for the application, at the request
of this, pre-contractual measures, or when necessary for the satisfaction of
legitimate interests pursued by the data controller or by a third party,
provided that the interests or rights do not prevail over said interests and

fundamental freedoms of the affected party that require the protection of such data. He
Treatment is also considered lawful when it is necessary for the fulfillment of
a legal obligation applicable to the data controller, to protect interests
vital of the affected person or of another natural person or for the fulfillment of a mission
carried out in the public interest or in the exercise of public powers conferred on the

responsible for the treatment.

       In the present case, the defendant is accused of violating article 6.1 of the
RGPD when the illegality of the treatment carried out is evident without stating
accredited none of the bases of legitimation provided for in the aforementioned article in

in relation to the processing related to the claimant's data.

       2. The defendant carried out the processing of the claimant's data without
any legitimation since the guarantees provided for in article 20 of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/31








the LOPDGDD, given that the debt was not certain, due or payable, a debt that was not
corresponded to the claimant as it arose from a fraudulent contract.


       Opinion 757/2017 of the Council of State, issued in the relative file
to the draft Organic Law on the Protection of Personal Data,
provides as to the legality of a weighing of legitimate interest made in a
normative text the following:

       “Without prejudice to what has just been observed, given the undoubted convenience

to guarantee the maximum degree of legal security possible by offering the
operators certain guidelines in their actions, without prejudice to respecting the applicability
directly from the European Regulation and, in any case, with the aim of ensuring its effect
useful, the Council of State wishes to point out, as an alternative solution, the possibility of
introduce by legislative means, in specific cases, simple iuris tantum presumptions

favorable to the prevalence of the legitimate interest of the data controller when
certain requirements or conditions are met.

       This solution could be in accordance with the flexibility in the weighting of
interests and the principle of proactive responsibility of the data controller
which, as indicated, pursues the new community regulation. Likewise, the forecast

of simple presumptions unless proven otherwise would have a place in jurisprudence
analyzed, which prohibits establishing in a national standard the result of the aforementioned
weighing "definitively (...), without allowing a different result", obstacle
which the alternative solution proposed here would allow, in principle, to be avoided.”


       Following this provision, the LOPDGDD introduces a presumption «iuris
tantum" of prevalence of the legitimate interest of the data controller in some
certain assumptions, among them, that relating to the processing of data in systems
of credit information. Thus, when the guarantees that art.
20 of the LOPDGDD provides, the treatment may be presumed lawful under the article

6.1.f) of the RGPD, without prejudice to the fact that legitimacy must be assessed case by case and
without prejudice to the fact that the person responsible can carry out the legally required weighing
when the aforementioned guarantees are not met, as the preamble of the law clarifies when
collect:

       “Title IV includes “Provisions applicable to treatments

specific conditions", incorporating a series of assumptions that in no case should
be considered exhaustive of all lawful treatments. Within them there is
appreciate, first of all, those with respect to which the legislator establishes a
“iuris tantum” presumption of prevalence of the legitimate interest of the person responsible when
are carried out with a series of requirements, which does not exclude the legality of this type of

treatments when the conditions provided for in the
text, although in this case the person responsible must carry out the weighting
legally enforceable, as the prevalence of its legitimate interest is not presumed.”

       Among the aforementioned guarantees, article 20 of the LOPDGG contemplates the

consisting of “the data refer to certain debts, due and payable, whose
existence or amount had not been the subject of an administrative or judicial claim by
the debtor or through an alternative dispute resolution procedure
binding between the parties” (art. 20.1.b) RGPD).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/31









       And as has been stated, in this case, the debt did not correspond to the
claimant, so it was not true, nor expired nor enforceable as it turned out to be non-existent, therefore

that the presumption of legality provided for in the aforementioned article 20 cannot be applicable,
The claimed party must carry out its own weighing as the
weighing done legally. However, in this case it is not clear that the party
claimed has made such a weighting and consequently that its interests
legitimate interests prevail over the interests, rights and freedoms of the party
claimed.


       Thus, in this case, on 12/16/2020, the defendant and IKEA formalized
Collaboration agreement under which “IKEA will process personal data to the
who has access as Data Processor only in accordance with the
instructions of the defendant.”


       The necessary documentation is listed on the Ikea website.
present to apply for the Ikea Visa card: identification document, a receipt
original bank account with the name of the owner, account number for the direct debit and
original proof of income.

       The person responsible for contracting the credit and processing the data
personal data of the clients requesting financing is the one claimed, in the
established procedure for the formalization of a credit contract to obtain

the Ikea card, the Ikea employee/seller uses an application installed on the
digital tablet that is connected to the defendant's computer systems; this
In this way, the data obtained is immediately sent to the systems
computer data of the claimed party for verification, analysis and processing before said
commercial, Ikea not retaining in compliance with the agreement signed any

documentation in this regard or any personal data.

       Well, the signature that appears on the DNI and the one that appears on the contract provided
do not match; Furthermore, the defendant has a series of socioeconomic data that does not
It is known that they will be provided to you during the contract; As stated in the report of
actions “The defendant has not provided documentation that proves the previous

socioeconomic information contained in their systems.” Among that documentation
The account number in which the payments were direct debited appears; according to the FAQs
(Frequently Asked Questions) financing:
       What requirements exist to request my Card?
       You just have to present:

        An identification document such as a DNI or passport
        An original bank receipt with your name and account number for the
domiciliation.
        Original proof of income:
       • Last payroll

       • Self-employed workers, managers and administrators: last personal income tax or quarter
       • Pensioners: pension revaluation sheet
       If you are a CaixaBank customer, you only need your DNI/NIE and your credit card or
debit to process your request.

       However, said documentation that the applicant must provide neither appears nor

appears to the one claimed, that is, it was not provided since we must not forget that the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/31








claimant was not the owner of the bank account according to the facts
tested.


       The Ikea salesperson, having the applicant physically present in the
commercial establishment must proceed to identify the client through their
identification document.

       Subsequently, having the client in front of him, he takes a photograph of his
identity document with the digitizing tablet and requests personal data

additional, socioeconomic data (employment status, monthly income,
pay, position, Profession, company, etc.) and enter the information into the system.

       Finally, the application has a signing process through the tablet
digitizing machine and the data obtained are immediately sent to the systems

computer data of the claimed party for verification, analysis and processing before said
trade.

       Well, as the claimant states both in her claim before the
AEPD as in its complaint before the Civil Guard Command in Pinto
(Madrid), extension of the one carried out in Puente de Vallecas before the Commissioner of the

National Police, was never in the aforementioned shopping center so it could never
sign the Ikea card contract and not provide the data contained therein; such
This is how the mobile number, email account, address, telephone number
bank account, company and signature that appear in the aforementioned contract do not correspond to you.
From the above, the negligent action of the defendant who did not proceed to

carry out the appropriate verifications or verify that the necessary documentation
for the recruitment had been sent by the IKEA establishment.

       In relation to the account number provided, ING BANK NV SUCURSAL EN
SPAIN, in writing dated 07/23/2023, has indicated that the aforementioned account was contracted

telephoned by a person who is not the claimant on 09/06/2018.

       And in relation to the signature stamped on the contract, it does not correspond to the
signature of the claimant.

       In this regard, the T.S. in ruling of 12/13/2021, No. 1,456/2021 and in

regarding the contracting of a microcredit and the diligence displayed, he pointed out in
its Second Reason “Regarding the first question (lack of diligence in the
action) in the appeal the allegations that the then
plaintiff made in the trial process, in the sense that Dineo Crédito, S.L.
adopted all necessary and appropriate measures, from the point of view of the

protection of personal data, to process the microcredit application (registration in
the platform; DNI validation: with double-factor verification of 2 algorithms that
guarantee both the veracity of the number and letter of the document and that the
applicant has in his possession the DNI, original or copy; validation of the number of
mobile phone via a PIN code, bank details validation and validation

of the credit/debit card provided by the applicant); and despite the adoption of such
measures, the crime of identity theft, fraud could have been committed
and/or improper use of a true document.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/31








       Well, we have seen that the fourth legal basis of the ruling
instance gives a complete response to such allegations. He points there to the Hall of the
National Court that is analyzed in detail in the sanctioning resolution
the identity verification mechanism of the credit applicant that Dineo Crédito,
S.L. had established and its insufficiency is evident. Thus, with the so-called

"registration on the platform", a procedure in which certain information is collected from the client
data (including ID number, two telephone numbers and email)
it is only demonstrated that from that moment on there has been data processing
personal, but it is unknown whether the data provided by the client and collected by
Money, they belong to the person who provides them as their own or to a third party. Refering to
phase that the appellant calls "DNI validation" (an algorithm that allows

determine whether or not the DNI provided by the client corresponds to a real DNI or
valid), such a measure only demonstrates that it is a document number
that it exists and that "someone" is the owner of that DNI. For its part, the so-called "validation
of the mobile number", which consists of sending to the contracting party's mobile terminal a
four-digit key or pin that the customer must subsequently enter into the

form that you access from the Dineo website, only certifies that
Whoever intends to contract with Dineo has access to that mobile number, but nothing
says about the identity of the contracting party.
       The phase of the loan contracting procedure called
"validation of bank details", which consists of verifying whether the bank account "is
real" and is effectively associated with a bank account, is also irrelevant

from the point of view of respect for the obligations imposed by the regulations of
data protection, as it only ensures the good outcome of the loan, that is, that the
amount borrowed will be directed to an open and active account, but it contributes nothing in terms of
that the owner of that account is precisely the person who appears on the DNI
used. And finally, the phase called validation of the "credit card",
consisting of a cent being loaded into it that automatically turns out to be

reinstated, there is no evidence that in the case at hand it was carried out, as no
in the appellant's computer records.
       In short, none of the measures adopted by the appellant are
intended to prove that the person requesting the microcredit matches the owner
of the DNI provided. And, in effect, it continues explaining the appealed sentence, the evidence
practiced in the administrative process came to show that, with respect to the

telephone line provided when the credit was requested, nor the name, surname and NIF
of the owner of the line coincide with the personal data of the complainant (owner of the
DNI); and in relation to the bank account that appears in Dineo's records, to the
that the amount of the micro loan would have been transferred, the data of the owner of the
account on the date of contracting the credit do not match the data
personal details of the complainant. Not even the owner of the mobile phone and the owner of the bank account

they are the same person.
       These assessments of the trial court regarding the insufficiency of the
measures adopted in the online contracting procedure, and, ultimately, on
lack of diligence in the action by the appellant, in no way have they been
distorted in cassation, where the representation of Dineo Crédito, S.L. has reiterated

the statements he made in the trial process but nothing has contributed that
serve to refute the conclusions of the sentencing Chamber.
       In short, we share the opinion of the National Court Chamber regarding the
insufficiency of the measures applied by the appellant in the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/31








hiring. To the considerations set forth in the appealed ruling, which
We share and make our own, we will only add two observations:
       Firstly, the verification measures applied by the appellant

seem entirely aimed at ensuring the good outcome of the loan, but, in
Instead, they completely ignore the objective of verifying the veracity and accuracy
of the data, and, in particular, to verify that the person requesting the credit is
precisely who he says he is. Thus, in any case in which a third party
improperly use a stolen or lost DNI to make a purchase or
apply for a credit online, the non-consensual treatment of the

personal data of the holder of the document, even if he had reported at the time
before the authorities the loss or theft of your DNI, since none of the measures
stated by the appellant appears minimally oriented to prevent or hinder
for that result to occur.
       Secondly, the above does not mean that it falls on the company

contracting party the responsibility of preventing an illegal or criminal act from occurring
such as the fraudulent use of a DNI by someone who is not its owner. But if
is required from said contracting company, as a necessary diligence so that it is not
may be accused of non-compliance with its obligations regarding the protection of
personal data - both with regard to the requirement of consent
of the interested party as well as with regard to the principle of truthfulness and accuracy of the data - the

implementation of control measures aimed at verifying that the person who intends to
hiring is who they say they are, that is, they coincide with the holder of the DNI provided.
       For the rest, in accordance with what we have exposed, also
We share the opinion of the National Court Chamber (legal basis
fifth of the appealed sentence) regarding the violation of the requirement

accuracy and veracity of the data (principle of data quality included in the
article 4.3 LOPD in relation to article 29 of the same Organic Law and the
article 38 of the Regulation approved by Royal Decree 1,720/2007, of 21
December), having incorporated the appellant into its computer systems, giving
then transfer it to the Asnef asset solvency file, personal data of the

complainant associated with a debt that was not true, due or payable since the
“the complainant had not contracted the microcredit.”

       And as occurs in the case analyzed by the aforementioned ruling, in this case
The defendant also did not diligently verify the veracity and accuracy of the data,
and, in particular, that the person requesting the credit was precisely who he said he was.


       Furthermore, the proven facts show that the CGI company in
written of 03/01/2023 and in relation to the sending of the payment request to the
complainant that “the letter dated 06/21/2020, a copy of which is attached, was generated
with the information provided by the defendant..., for printing (File:

RECINFENV20200620.PDF; Envelope: 1347) and subsequent making available to the
postal distributor who was in charge of sending it to the address:
       ***ADDRESS.2

       Once the established process has been carried out and since it has been made available in

CORREOS, it is clear that there has been no incident and no refund of any
said letter to date”, that is, it is considered good that the letter reached its
recipient when the Madrid City Council itself, through the Technical Unit
del Callejero in writing dated 08/07/2023 has indicated that “Currently there is no

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/31








road in the municipal street map of the city of Madrid with the name of Street (...) and by
Therefore neither does number 75 on this road. So it is another element that
should have been taken into account by the claimant when verifying the certainty of the
information provided at the time of contracting.


       3. The defendant states that given the possibility that there had been
impersonation of the identity of the claimant and the consequent treatment of her
data illegitimately, deleted them blocking their data.

       In this way, in writing dated 03/14/2023, the defendant confirmed that “only the
use of a system created with the intention of defrauding the Entity prevented it from

could detect the falsification of the documentation submitted by the applicant for the
credit, who, in his case, supplanted the personality of the current claimant, causing
the facts that motivated, at the time, the claim presented by it before that
Agency and the opening of these proceedings.”


       However, in its response dated 06/14/2022 to the request made
by this management center indicated that the Ikea Visa card debt amounted to
€690.25 and that on 06/29/2020 he sent the pertinent information to the ASNEF file and that,
The next day, 06/30/2020, the claimant's data was registered in the
ASNEF equity solvency file effectively by being included in the
weekly files that were sent until 08/20/2020.


       And that “In accordance with the communication procedure for registrations and cancellations
to credit information systems, the data was deleted from the ASNEF file
effective on August 11, 2021.”

       That is, the claimant's data was included in the files called

commonly delinquent on 06/30/2020 and effectively written off on the date
08/11/2021. Therefore, the claimant's data during the period in which
were contained in the aforementioned file, they continued to be processed until they were deleted.
effective by the person claimed illegitimately, as there is no proven legal basis
any for its treatment, since the presumption of legality is not applicable
contemplated in article 20.1 since the debt was neither certain, nor due nor

required since the contracting of the Ikea card with the claimant is not proven.

       4. For greater completeness, it appears from the proven facts that the person claimed in
writing dated 12/31/2021 stated “CaixaBank Payments & Consumer, as soon as it had
knowledge of alleged fraud/forgery in the contracting, proceeded to
deletion/blocking of the personal data of the interested party, proceeding, likewise,

to immediately cancel it in the credit information systems.”

       But, in a subsequent letter dated 06/14/2022, it stated “The previous
statement was erroneous since the data of the affected party and claimant, referring to the
credit contract with Ikea Visa card mentioned above, had been given

deregistration from credit information systems on August 11, 2021, as
consequence of the aforementioned purchase and sale contract and assignment of credits dated
July 29, 2021.”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/31








       Therefore, the defendant did not proceed to delete the data in the data files.
defaulters or to block the data because they had knowledge of the alleged
impersonation of the claimant and alleged fraud in the

contracting, but the deletion in the files was motivated because the credit was
object of transfer through a purchase and sale contract formalized in Madrid, before the
notary Don A.A.A. with the company Invest Capital Ltd., on 09/16/2021, commercial
which in turn includes the data in the file.

       Therefore, as previously noted, the actions of the defendant

represents a violation of article 6.1 of the RGPD, in relation to article 20.1 of the
LOPDGDD, violation of the principle of legality in the processing of data that
requires the existence of a legal basis that legitimizes it; violation that caused
the claimant's data were included in the credit information systems
without the debt being certain, due and payable and without the claimant having

proven to have carried out the legally established weighting, and consequently
without stating that their legitimate interests prevail over the interests, rights
and freedoms of the claimant, an infringement classified in article 83.5.a) of the RGPD.

                                              SAW
       In allegations to the Proposed Resolution, the defendant has alleged his

disagreement with it, alleging that:

       1. The lack of violation of article 6.1 of the RGPD, since the
alleged infringement has as its origin the deception exercised on the person of the
seller by maliciously impersonating the identity of the claimant at the time of

validate your identity as an applicant physically present at the establishment
commercial.

       Article 8.1 of the LOPSC establishes that the DNI “is the only document with
sufficient value on its own to accredit, for all purposes, the identity and

the personal data of its owner” and that verification by the person in charge of the
claimed the identity of the interested party at the time of the application-contracting of
The card is considered legal and necessary to contract.

       According to the dictionary of the Royal Academy of the Spanish Language (RAE), it defines
the term “identification” as “action and effect of identifying or identifying oneself” and the

term “identify” as “Recognize whether a person or thing is the same as
supposed or sought.” The term “identity” (in its second meaning) as a “set
of traits specific to an individual or a community that characterize them versus
others"


       In short, the obligation to “identify” that falls on the seller of the
prescriber translates into “recognize” whether the identity data, that is, the elements
or traits that characterize the person who intends to sign the application-contract of the
card (name, surname, identification document number and nature of the
document and even its physical image) are those that appear in the “document”

“accreditation of personality.”

       As noted in point 2 of foundation V, in accordance with the
Agreement signed between the defendant and IKEA, the seller having the applicant

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/31








physically present in the commercial establishment proceeds to identify it through
of your identity document.


       Well, it is surprising that the defendant indicates that he acted with diligence
necessary since it has implemented security measures in its contracting processes.
verification of identity based on the DNI, resulting paradoxically that the
seller having the applicant in front of him and requiring his DNI in order to verify his
identity through visual verification of the elements and features that characterize
The person he intended to hire did not realize that it was not the same person. Therefore,

This is not, as the defendant tries to argue, an invincible error, but rather a fault.
of negligence that would have been overcome if the measures had been adopted
necessary and opportune that would have led to the conclusion that the person who went to the
commercial establishment was not the one it claimed to be and whose document it carried, which
which is also shocking in light of the facts established in the procedure:

The signature did not correspond to the one existing on the DNI and even so the employee, as stated
indicated previously, proceeded to record the graphological image of the
signature in the entity's systems, the affirmation of the entity itself that has indicated
that a correct identification of the person was not made, so we are facing a
behavior of serious negligence, easily overcome if they had been
adopted the appropriate protocols and precautions, since neither the signatures coincided, nor was there

the address provided, nor was the necessary documentation presented to prove that the
The bank account number provided corresponded to the contracting party.

       It is not that the people involved in the identification of the
potential clients have difficulties due to the fact that they are not specialists in detecting

said impersonations; The rational thing is that appropriate measures be adopted and
adequate and necessary precautions so that such incidents do not take place.

       The A.N. In a ruling dated 01/10/2012, it states that: “Applying the previous
regulations to the alleged defendant, it turns out that it has been proven, and not distorted

through proof to the contrary, that a commercial distribution contract was signed,
by the plaintiff entity and in which personal data of the
complainant, specifically his name, surname and ID, but without
correspond to it neither its supposed address, nor its supposed phone number.
phone number and not your email address either.
       Contract that lacks any signature and whose formalization has been denied by

such complainant.
       Having also been proven that, once the invoice generated was unpaid
for the services derived from the aforementioned contract, Avon Cosmetics included the name and
DNI number of the aforementioned complainant in the Asnef delinquency file.
       In short, it is that the plaintiff entity began a commercial relationship with

a third person without sufficient control or supervision insofar as he was not able to
detect that really, the person who was expressing his willingness to hire,
He wasn't who he said he was. As derived from the aforementioned RGPD, AVON, as
responsible for the treatment, and despite its extensive arguments of the
lawsuit, has not been able to demonstrate that the complainant had given her

consent to the processing of your personal data.
       If AVON has taken the necessary precautions to ensure the
identity of the contracting person, for which it would have been enough to verify some type
of identification documentation (even by telematic means), the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/31








violation of article 6.1 of the RGPD charged by the AEPD. In short, by not
having acted with the necessary diligence, the data of the affected party were processed without
have your consent, which represents a violation of such an essential principle

of legality, given that none of the circumstances exist in the case.
exceptional circumstances that would exempt the need for such consent. Of all of which
It follows that the events described are of sufficient importance to be classified as
serious violation of article 86.5 of the RGPD.
       It is not possible to appreciate, on the other hand, the invincible error that insistently
is invoked in the lawsuit, since in addition to the fact that it must be demonstrated (STS of

June 23, 2014) in short, as already indicated, and without prejudice to fraud
committed, the truth is that there was not sufficient diligence on the part of Avon Cosmetics or
at the time of including the complainant's data in its computer bases, nor in
the moment of notifying them to the asset solvency and credit file.
       Without being able to take into consideration, finally, the invoked

absence of responsibility for having been a victim of fraud, since although in the
Currently, article 28 of the LRJPAC only recognizes liability "as a matter of
intent or guilt", there is no doubt that the requirement of guilt in the illicit
administrative is more flexible than in criminal law, and thus, in accordance with repeated
Jurisprudence, in the face of clearly illegal behavior, it is not enough to invoke
the absence of fault, but it must be proven that due diligence has been used

required (SSTS March 23, 2011 and October 21, 2014, among many others),
diligence that, based on everything stated, cannot be seen in Avon's conduct
Cosmetics.
       From all of which it follows that the sanction imposed on the plaintiff entity in such
The disputed resolution is legal and proportionate, so the same

It has to be confirmed.”

       On the other hand, regarding the unfavorable opinion of the AEPD to the initiative
raised about the possibility of using facial recognition data at the time of
registration of clients, it should be noted that any processing of data of a

personnel must have a basis of legitimacy, and the case must be attended to
specific and the possible interference in the right to data protection, and the
compliance with the principles contained in art. 5 of the GDPR, including
principles of legality and data minimization.

       2. The violation of the doctrine of proper acts when archiving

similar claims in which there is identity of facts and subjects to those of the
present procedure including EXP2022022936.

       However, the issue invoked by the defendant has nothing to do with the
violation of the doctrine of proper acts and must be dismissed.


       Firstly, the aforementioned file was directed against KRUK ESPAÑA S.L. to the
be claimed from the interested party a debt whose original creditor was the now
claimed (CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.), being the
claimant the same person who files the claim that gave rise to this

procedure for violation of article 6.1 RGPD in relation to article 20 of the
LOPDGDD.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/31








       As indicated in point 4 of the previous foundation, the defendant and the
entity INVESTCAPITAL, LTD formalized a contract for the purchase and sale of a portfolio of
credits in Madrid, before the notary Don A.A.A. on 09/16/2021, among which

found that of the claimant, referring to this letter informing about said transfer
of the credit right.

       In turn, the KRUK entity, in its capacity as data processor,
provided InvestCapital, responsible for the treatment and current creditor, the services
debt recovery.


       As stated in the proven facts, the claimant sent emails
emails in which she requested to know if she was listed as a debtor in their systems and
that he was not the owner of the aforementioned debt, indicating that he had suffered an impersonation of
identity regarding the contracting of the CaixaBank card, for which he requested the

deletion of your data.

       On 03/09/2022 KRUK responded to the claimant confirming the amount
Of the debt. Regarding the request to delete the data, KRUK indicated that
They could not attend to it since the new creditor (InvestCapital) was aware of the
debt, but that, given that he had provided evidence of possible fraud by having

reported identity theft to the police, KRUK informed him that
agreed to paralyze the file until there was evidence of the impersonation of
identity that would allow the file to be definitively closed.

       And furthermore, the claimant forgets that the processing of the claimant's data

carried out by InvestCapital, in its capacity as data controller and,
KRUK, in its capacity as the person in charge of the treatment, as it is the result of the
acquisition of a package of debts from the defendant (CAIXABANK PAYMENTS &
CONSUMER EFC, EP, S.A.U.) trusted in the appearance of veracity of the credits
assigned and given that in the treatment carried out it is produced as a good acquirer

faith, cannot constitute a violation of article 6.1 of the RGPD.

       Quite the opposite of the defendant whose actions are contrary to the principle of
legality enshrined in article 6.1 of the GDPR; Treatment begins with
fraudulent contracting of the Ikea credit card number ***NUMBER.1, dated
01/13/2020, signed at the establishment lkea Iberica, S.A., of ***ADDRESS.1 and

which is permanent over time with the subsequent inclusion of the data of the
claimant in the Asnef file for a debt that did not correspond to him, since
06/30/2020 until 08/11/2021, leave that is a consequence of the aforementioned contract
of sale and assignment of credits dated 07/29/2021.


       This way of proceeding is contrary to article 6.1 of the RGPD and finds its
typification in article 83.5.a) of the RGPD.

       3. The defendant also alleges the absence of guilt in his actions and
that no one can be condemned or punished except for acts of intent or guilt.


       Strict liability is proscribed in our legal system. In
The scope of administrative sanctioning law governs the principle of guilt, of
way that the subjective or culpable element is an indispensable condition for

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/31








that sanctioning responsibility arises. Article 28 of Law 40/2015, of
Legal Regime of the Public Sector (LRJSP) regulates the principle of guilt and
provides: “1. They may only be sanctioned for acts that constitute an infraction.
administrative authority of natural and legal persons, as well as, when a Law
recognize the capacity to act, the affected groups, the unions and entities without

legal personality and independent or autonomous assets, which are
responsible for them by way of fraud or guilt.”

       In light of this precept, sanctioning responsibility can be demanded from
title of fraud or guilt, being sufficient in the latter case the mere non-observance of the
duty of care.


       The Constitutional Court, among others, in its STC 76/1999, has declared that
Administrative sanctions are of the same nature as criminal sanctions, as they are
one of the manifestations of the ius puniendi of the State, and that, as a requirement
derived from the principles of legal certainty and criminal legality enshrined in the

Articles 9.3 and 25.1 of the EC, their existence is essential to impose them.

       Regarding the guilt of the legal entity, the STC should be cited.
246/1991, December 19, 1991 (F.J. 2), according to which, with respect to the
legal persons, the subjective element of fault must necessarily be applied
differently from what is done with respect to natural persons and adds that “This

different construction of the imputability of the authorship of the infraction to the person
legal origin arises from the very nature of legal fiction to which these
subjects. They lack the volitional element in the strict sense, but not the ability to
violate the rules to which they are subject. Violation capacity and, therefore,
direct blameworthiness that derives from the legal good protected by the norm that is
infringes and the need for said protection to be truly effective […]”


       In short, the conduct of the defendant, specified in the violation of the
principle of legality, in relation to article 20 of the LOPDGDD, by including the data
of a personal nature of the claimant in common credit information systems
without basis of legitimacy, since the claimant could not be the contracting party of the card
Ikea violates article 6.1 of the RGPD, action subsumable in the sanctioning type

of article 83.5.a) of the RGPD

       4. Finally, the defendant alleges the violation of the principle of
proportionality in the imposition of the sanction.

       Article 83.1 of the RGPD prevents that “Each supervisory authority will guarantee

that the imposition of administrative fines pursuant to this article for the
infringements of this Regulation indicated in paragraphs 4, 5 and 6 are in
each individual case effective, proportionate and dissuasive.”

       The fines therefore, as deduced from the precept, must be effective,

proportionate and dissuasive for the achievement of the purpose intended by the
GDPR.

       It is true that for this system to work with all its guarantees it is
It is necessary for several elements to be deployed in an integral and complete manner. The

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/31








application of rules other than the RGPD regarding the determination of fines in
each of the Member States applying their national law, whether by
aggravating or mitigating circumstances not provided for in the RGPD -or in the LOPDGDD

In the Spanish case, by allowing it under the RGPD itself, it would reduce the effectiveness of the system that
would lose its meaning, its teleological purpose, the will of the legislator, resulting in
the fines imposed for different violations would no longer be effective,
proportionate and dissuasive. And in this way the interested parties would also be robbed.
of the effective guarantee of their rights and freedoms, weakening the uniform application
of the GDPR. Mechanisms for the protection of rights and

freedoms of citizens and would be contrary to the spirit of the RGPD.

       The GDPR is endowed with its own principle of proportionality that must be
applied in its strict terms.



       Regarding the principle of proportionality of sanctions, the Court
National in numerous sentences has indicated that the principle of proportionality
cannot be evaded from jurisdictional control, since the margin of appreciation that is
grants the Administration the imposition of sanctions within the limits
legally provided, must be developed weighing in any case, the

concurrent circumstances, in order to achieve the necessary and due proportion
between the alleged facts and the responsibility demanded, given that any sanction must
determined in congruence with the entity of the infraction committed and according to a
criterion of proportionality in relation to the circumstances of the event. So that
Proportionality constitutes a normative principle that is imposed on the

Administration and that reduces the scope of its sanctioning powers.

       Well, in accordance with the circumstances that occur in the present
case, this resolution does not violate the principle of proportionality in the
determination of the sanctions imposed, being weighted and proportionate to the

seriousness of the infraction committed, the importance of the facts, as well as the
circumstances taken into account to graduate the sanction, without any reasons being appreciated
that further justify the reduction made, especially taking into account the
amount to which said sanctions may amount in accordance with art. 83.5
of the RGDP, which provides for the violation of article 6.1 of the RGDP, “with fines
administrative fees of €20,000,000 maximum or, in the case of a company, a

amount equivalent to a maximum of 4% of the total global annual business volume of the
previous financial year, opting for the highest amount.”

       Well, the entity is a large company within its sector of activity; in
In 2021 (last financial year presented) it had sales of more than 750 million

euros and a fiscal year result of more than 218 million euros.

                                              SAW
       In order to establish the administrative fine that should be imposed, they must
The provisions contained in articles 83.1 and 83.2 of the RGPD must be observed, which

they point out:

       "1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/31








Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.


       2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute for the measures contemplated
in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

       a) the nature, severity and duration of the infringement, taking into account the

       nature, scope or purpose of the processing operation in question
       as well as the number of interested parties affected and the level of damage and
       damages they have suffered;
       b) intentionality or negligence in the infringement;
       c) any measure taken by the person responsible or in charge of the treatment

       to alleviate the damages and losses suffered by the interested parties;
       d) the degree of responsibility of the person responsible or in charge of the
       processing, taking into account the technical or organizational measures that have been
       applied under articles 25 and 32;
       e) any previous infraction committed by the person responsible or in charge of the
       treatment;

       f) the degree of cooperation with the supervisory authority in order to put
       remedy the infringement and mitigate the possible adverse effects of the infringement;
       g) the categories of personal data affected by the infringement;
       h) the way in which the supervisory authority became aware of the infringement, in
       particular whether the person responsible or the person in charge notified the infringement and, in that case,

       what extent;
       i) when the measures indicated in Article 58(2) have been
       previously ordered against the person responsible or the person in charge in question
       in relation to the same matter, compliance with said measures;
       j) adherence to codes of conduct under Article 40 or to mechanisms

       of certification approved in accordance with Article 42, and
       k) any other aggravating or mitigating factor applicable to the circumstances of the
       case, such as financial benefits obtained or losses avoided, direct
       or indirectly, through infringement.

       In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its

Article 76, “Sanctions and corrective measures”, establishes that:

       "2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)
2016/679 may also be taken into account:


       a) The continuous nature of the infringement.
       b) The linking of the offender's activity with the performance of treatments
       of personal data.
       c) The benefits obtained as a consequence of the commission of the infraction.
       d) The possibility that the conduct of the affected person could have induced the

       commission of the infraction.
       e) The existence of a merger by absorption process after the commission
       of the infringement, which cannot be attributed to the absorbing entity.
       f) The impact on the rights of minors.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/31








       g) Have, when it is not mandatory, a delegate for the protection of
data.
       h) Submission by the person responsible or in charge, with character

       voluntary, to alternative conflict resolution mechanisms, in those
       cases in which there are disputes between them and any
       interested."

       - In accordance with the transcribed precepts, in order to set the amount of the
sanction to be imposed in the present case for the infraction classified in article 83.5.a)

and article 6.1 of the RGPD (inclusion of debt in defaulter files), of which
holds the defendant responsible, in an initial assessment, the
following factors:

       These are aggravating circumstances:


       The nature and severity of the violation; the facts revealed
affect a basic principle regarding the processing of personal data,
such as legitimacy, which the norm sanctions with the greatest severity; the level of
the damages suffered by the claimant that affect her economic solvency by
having been denied a loan as a result of your personal data

appeared in common credit information systems at the request of the defendant
in relation to a debt arising from an Ikea credit card that amounted to
€690.25 linked to the person claimed, being registered on 06/30/2020 and appearing
until 08/11/2021, upon being discharged by the claimed party, as a result of the
assignment of the debt to the company Invest Capital Ltd (article 83.2.a) of the RGPD).


       The activity of the allegedly infringing entity is linked to the
processing of personal data of both clients and third parties. In the
activity of the claimed entity, the processing of data of
personal nature so, given its business volume, the significance

of the conduct that is the subject of this claim is undeniable (article 76.2.b) of the
LOPDGDD in relation to article 83.2.k).

       The intentionality or negligence in the infringement, since the defendant included the
data in defaulter files without the debt meeting the requirements of the article
20.1 of the LOPDGDD and without carrying out the necessary weighting. Also connected with

the degree of diligence that the data controller is obliged to display in
compliance with the obligations imposed by data protection regulations
the SAN of 10/17/2007 can be cited. Although it was issued before the validity of the
RGPD, its pronouncement can be perfectly extrapolated to the assumption that
we analyze. The ruling, after alluding to the fact that the entities in which the

development of its activity entails continuous processing of customer data and
Third parties must observe an adequate level of diligence, it stated that “(...). he
Supreme Court has been understanding that imprudence exists whenever
disregards a legal duty of care, that is, when the offender does not behave with
the required diligence. And in assessing the degree of diligence it must be weighed

especially the professionalism or not of the subject, and there is no doubt that, in the case
now examined, when the appellant's activity is constant and abundant
In the handling of personal data, rigor and exquisite care must be insisted upon.
for complying with the legal provisions in this regard” (article 83.2, b) of the RGPD).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/31









       The investigated entity is a large company within its sector of activity and
In 2021 (last financial year presented) it had sales of €752,310,000 and a

fiscal year result of €218,701,000 according to Axesor data (article 83.2.k) of the
GDPR).

                                              VII
       The corrective powers that the RGPD attributes to the AEPD as a control authority
control are listed in article 58.2, sections a) to j).


       Once the infringement has been confirmed, it is appropriate to impose on the person responsible the
adoption of appropriate measures to adjust its actions to the aforementioned regulations
in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD,
according to which each control authority may “d) order the person responsible or in charge

of the processing that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period.”

       In the present case, the defendant is required to, within a period of six
months from the notification of this resolution:


       - Accredit the adoption of appropriate measures to prevent future
produce incidents such as those that have caused the opening of this
sanctioning procedure avoiding incidents such as the one indicated when processing data
personal character in credit information systems, without any legitimation of the

contemplated in article 6.1 of the RGPD.

       Please note that failure to comply with the possible order to adopt measures
imposed by this body in the sanctioning resolution may be considered
as an administrative offense in accordance with the provisions of the RGPD, classified

as an infraction in its article 83.5 and 83.6, and such conduct may be motivated by the opening
of a subsequent administrative sanctioning procedure.

                                           III
       The appellant in his appeal document expresses his disagreement with what
indicated in the Resolution appealed in relation to the violation of article 6.1 of the

GDPR and has made the following allegations:

       Firstly, the defendant insists on the processing of the personal data of
the debtor both in the assignment and in the treatment of these by the assignee of the
credit (InvestCapital Ltd), finds its legal basis in article 6.1 GDPR and that

When the transfer was made, I had no knowledge of the possible fraudulent use
of the claimant's data, and after the aforementioned sale she learned
of identity theft and that for this reason there is no guilt.

       However, such an allegation cannot be admitted; The claimed entity is the

data controller, who decides on the processing of personal data
of the interested parties, the purposes and means of said processing and of applying the measures
technical and organizational measures that guarantee the security of personal data with
reason for said treatment; In addition, it must be ensured that the treatment responds to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/31








the principles enshrined in article 5 of the GDPR and, as in the present
case, of the principle of legality.


       Well, the defendant has not proven the mechanism or protocol that
verify the identity of the credit applicant and the appellant is reminded that he has not
distorted any of the issues included in the Resolution with respect to the
way to prove identity and the reason why you do not have the documentation that
was necessary to carry out the contract.


       The person responsible for contracting the credit and processing the data
personal data of the clients requesting financing is the one claimed, in the
established procedure for the formalization of a credit contract to obtain
the Ikea card, the Ikea employee/seller uses an application installed on the
digital tablet that is connected to the defendant's computer systems; this

In this way, the data obtained is immediately sent to the systems
computer data of the claimed party for verification, analysis and processing before said
commercial, Ikea not retaining in compliance with the agreement signed any
documentation in this regard or any personal data.

       Well, the signature that appears on the DNI and the one that appears on the contract provided

do not match; Furthermore, the defendant has a series of socioeconomic data that do not
It is known that they will be provided to you during the contract; As stated in the report of
actions “The defendant has not provided documentation that proves the previous
socioeconomic information contained in their systems.” Among that documentation
The account number in which the payments were direct debited appears; according to the FAQs

(Frequently Asked Questions) financing:
       What requirements exist to request my Card?
       You just have to present:
        An identification document such as ID or passport
        An original bank receipt with your name and account number for the

domiciliation.
        Original proof of income:
       • Last payroll
       • Self-employed workers, managers and administrators: last personal income tax or quarter
       • Pensioners: pension revaluation sheet
       If you are a CaixaBank customer, you only need your DNI/NIE and your credit card or

debit to process your request.

       However, said documentation that the applicant must provide neither appears nor
appears to the one claimed, that is, it was not provided since we must not forget that the
claimant was not the owner of the bank account according to the facts

tested.

       The Ikea salesperson, having the applicant physically present in the
commercial establishment must proceed to identify the client through their
identification document.


       Subsequently, having the client in front of him, he takes a photograph of his
identity document with the digitizing tablet and requests personal data


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/31








additional, socioeconomic data (employment status, monthly income,
pay, position, Profession, company, etc.) and enter the information into the system.


       Finally, the application has a signing process through the tablet
digitizing machine and the data obtained are immediately sent to the systems
computer data of the claimed party for verification, analysis and processing before said
trade.

       Well, as the claimant states both in her claim before the

AEPD as in its complaint before the Civil Guard Command in Pinto
(Madrid), extension of the one carried out in Puente de Vallecas before the Commissioner of the
National Police, was never in the aforementioned shopping center so it could never
sign the Ikea card contract and not provide the data contained therein; such
This is how the mobile number, email account, address, telephone number

bank account, company and signature that appear in the aforementioned contract do not correspond to you.
From the above, the negligent action of the defendant who did not proceed to
carry out the appropriate verifications or verify that the necessary documentation
for the hiring had been sent by the IKEA establishment.

       In relation to the account number provided, ING BANK NV SUCURSAL EN

SPAIN, in writing dated 07/23/2023, has indicated that the aforementioned account was contracted
telephoned by a person who is not the claimant on 09/06/2018.

       And in relation to the signature stamped on the contract, it does not correspond to the
signature of the claimant.”


        Therefore, the mechanism to verify the identity of the
credit applicant, how is it possible that having in front of the credit applicant
card, the subscriber will verify its identity without matching, not only the person
that he intended to hire, in addition to none of the documents that were necessary

to carry out the hiring? Except for the serious negligence in the actions that
would have been overcome had the mechanism or protocol that would have been followed
concluded that the person who went to the commercial establishment was not the one
who he claimed to be and that the document he was carrying was not his and, to make matters worse,
proceeded to register the graphological image of the signature in the systems
Of the entity; The entity itself has indicated that a correct

identification of the person, so we are faced with a behavior absent of
any diligence.

       It is not only about proving that the contract has existed, the
responsible person must be able to prove that the contract was made by

the person who says he is who he is.

       - The appellant also alleges that the inclusion of the claimant's data
in common credit information systems was due to non-payment of the
debt corresponding to the credit contract with an Ikea card and that the

payment requirements sent to the claimant as a prior step to the aforementioned
inclusion.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/31








       It is necessary to reiterate again that the debt to which the appellant
referred to came from a contract that the claimant had not signed, as is evident
accredited in the procedure, so the debt linked to the aforementioned credit card

Ikea credit could not be true, due or payable as it did not correspond to the claimant.

       To make matters worse, and regarding the debt requirements sent to the
claimant, appears in the proven facts that have not been distorted by the
appellant, that the CGI company by writing of 03/01/2023 sent to the
complainant “the letter dated 06/21/2020, a copy of which is attached, was generated with the

information provided by the claimed party..., for printing (File:(...); Envelope:
XXXX) and subsequent making available to the postal distributor who was in charge of its
shipping to address:
       ***ADDRESS.2


       And that the process established for its referral has been carried out and since the launch
provision in CORREOS, that no incident had been received and neither
return of said letter; It was accepted and admitted that the letter had arrived
to its recipient when the Madrid City Council, through the Technical Unit of the
Street guide in writing dated 08/07/2023 has established that “Currently there is no
road in the municipal street map of the city of Madrid with the name of Street (...) and by

Therefore neither does number 75 on this road.” How is it possible to admit that the letter of
Did the request reach its recipient if the shipping address did not exist?

       The appellant carried out the processing of the claimant's data without
any legitimation since the guarantees provided for in article 20 of

the LOPDGDD, given that the debt was not certain, due or payable, a debt that was not
corresponded to the claimant as it arose from a fraudulent contract.

       Therefore, it included the claimant's data in information systems
credit without having proven diligence in the contracting, so it is

responsible for the inaccuracy of the data, having included in the file data from a
debt that did not correspond to the claimant. In addition, he communicated the data of the
claimant when selling a portfolio of credits with the debt non-existent

       - The claimant also alleges a violation of the non bis in idem principle;
points out that the AEPD has already ruled on these events in File 202202936

whose Resolution issued on 06/14/2022 agreed to archive the proceedings.

       However, the aforementioned allegation cannot be accepted either; in it
Exp.202202936 some facts revealed by the claimant were analyzed
in February 2022 in a claim directed against KRUK.


        In the aforementioned file, the claimant stated that “The company KRUK
ESPAÑA SL has accessed my personal data, such as address, telephone number
and email without me having given any consent for this company
process my data. They claim a debt from CaixaBank Payment&Consumer which already

has been reported for identity theft more than 6 months ago, as a result of what
which this company retired the debt. In the false credit card contract requested from
In addition, none of my real information appears, only my name and ID.
Therefore this company, KRUK ESPAÑA SL, has had to access my data

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/31








personal in some illicit way since I did not give any consent for
they agreed. As a result, KRUK ESPAÑA SL is claiming a debt from me
that no longer exists with phone calls and harassment to me and my family.”


       KRUK, provided debt recovery services to InvestCapital, acting
as the person in charge of the treatment. The debt claimed, whose original creditor was the
recurring, derived from the fraudulent contracting of the credit card with IKEA.

       We must not forget that on 07/29/2021 InvestCapital, Ltd., acquired the rights

of a debt portfolio of the appellant, passing InvestCapital, Ltd., to
hold the position of creditor.

       On 02/3 and 02/08/2022, the interested party sent two emails to KRUK,
in the first of which he requested to know if she was listed as a debtor in her

systems, and in the second, it indicated that she was not the owner of said debt, that everything
It was the result of an impersonation of his identity regarding the contracting of the card
with the now appellant requesting the deletion of his data, and also informed him
who had reported this circumstance to the police and the AEPD. None of these
complaints were directed against KRUK or InvestCapital.

       KRUK responded to the claimant confirming the amount of the debt and
informing of the assignment of the debt, along with a copy of the credit card contract
original signed with the appellant and the movements of the card. According to the

request to delete the data, KRUK indicated that at the moment it could not be
delete since the creditor (InvestCapital) was aware of the debt, but
given that he had provided evidence of possible fraud by having reported to the police
an identity theft, KRUK informed him that it agreed to paralyze the file
temporarily until we obtain evidence of identity theft that allows

definitively close the file.

       Therefore, the archival resolution only examined the performance and
legitimacy of KRUK regarding the processing of the complainant's data, but in
No case in the aforementioned file was analyzed or questioned the actions of the
recurrent.


       We previously noted that on 07/29/2021 InvestCapital, Ltd., acquired the
credit rights of a debt portfolio of the appellant, passing InvestCapital,
Ltd., to hold the position of creditor by sending the debtors a letter informing
on said assignment of the credit right.


       The appellant responded to the transfer of the claimant's claim of
11/13/2023 indicating in writing dated 12/31/2021 that "as soon as he had
knowledge of the present fraud in the contracting, proceeded to the deletion/blocking
of the personal data of the affected party, and also proceeding to cancel their

data from common credit information systems".

       Although, in a subsequent letter dated 06/14/2022 it stated “The previous
statement was erroneous since the data of the affected party and claimant, referring to the

credit contract with Ikea Visa card mentioned above, had been given
deregistration from credit information systems on August 11, 2021, as

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/31








consequence of the aforementioned purchase and sale contract and assignment of credits dated
July 29, 2021.”


       Therefore, as stated in the appealed Resolution, the defendant does not
proceeded to delete the data in the defaulter files or block the data
because he had knowledge of the alleged impersonation of the personality of the
claimant and an alleged fraud in the contracting, but the deletion in the files
It was motivated because the credit was assigned through a contract of

sale formalized in Madrid, with the company InvestCapital Ltd., on date
09/16/2021.

       InvestCapital, as a creditor, never registered the interested party in any
credit information system, such responsibility falls solely on the
appellant who was the one who reported the inclusion of the personal data of the

claimant in the ASNEF and BADEXCUG files, for an illicit debt since he did not
meets none of the requirements of article 20.1 of the LOPDGDD.

       The processing of data carried out by InvestCapital, Ltd., as
responsible for the treatment, and by KRUK ESPAÑA S.L., in its capacity as manager

of the treatment, is the result of the acquisition of the debt package, credits
supposedly unpaid from the appellant and, who, trusting in the
appearance of veracity of the assigned credits, they carried out a treatment of
data caused as an acquirer in good faith, and said
conduct constituting a violation of article 6.1 of the RGPD.


       Behavior that is not predicable of the appellant whose conduct is
contrary to the principle of legality enshrined in article 6.1 of the RGPD; treatment
begins with the fraudulent contracting of the Ikea credit card number ***NUMBER.1 and
that persists with the subsequent inclusion of the claimant's data in the file
Asnef for a debt that did not correspond to it, from 06/30/2020 to 08/11/2021,

deregistration that occurs as a consequence of the aforementioned contract for the transfer of
credits dated 07/29/2021.

       Therefore, as previously noted, the actions of the defendant
represents a violation of article 6.1 of the RGPD, in relation to article 20.1 of the

LOPDGDD, violation of the principle of legality in the processing of data that
requires the existence of a legal basis that legitimizes it; violation that caused
the claimant's data were included in the credit information systems
without the debt being certain, due and payable and without the claimant having
proven to have carried out the legally established weighting, and consequently

without stating that their legitimate interests prevail over the interests, rights and
freedoms of the claimant, an infringement classified in article 83.5.a) of the RGPD.

       - Finally, the appellant insists on the absence of responsibility and
guilt in his actions and that no one can be condemned or punished except for
facts by way of fraud or guilt.


       In the appealed resolution, it was pointed out to the now appellant that the
Strict liability is prohibited in our legal system. In the field
of sanctioning Administrative Law governs the principle of guilt, so that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/31








The subjective or culpable element is an essential condition for the birth of
sanctioning responsibility. Article 28 of Law 40/2015, of Legal Regime
of the Public Sector (LRJSP) regulates the principle of culpability and provides: “1. Only

may be sanctioned for acts constituting an administrative infraction.
natural and legal persons, as well as, when a Law recognizes their capacity to
act, the groups of affected people, the unions and entities without legal personality and the
independent or autonomous assets, which are responsible for them
title of fraud or guilt.”


       In light of this precept, sanctioning responsibility can be demanded from
title of fraud or guilt, being sufficient in the latter case the mere non-observance of the
duty of care.

       The Constitutional Court, among others, in its STC 76/1999, has declared that

Administrative sanctions are of the same nature as criminal sanctions, as they are
one of the manifestations of the ius puniendi of the State, and that, as a requirement
derived from the principles of legal certainty and criminal legality enshrined in the
Articles 9.3 and 25.1 of the EC, their existence is essential to impose them.

       Regarding the guilt of the legal entity, the STC should be cited

246/1991, December 19, 1991 (F.J. 2), according to which, with respect to the
legal persons, the subjective element of fault must necessarily be applied
differently from what is done with respect to natural persons and adds that “This
different construction of the imputability of the authorship of the infraction to the person
legal origin arises from the very nature of legal fiction to which these

subjects. They lack the volitional element in the strict sense, but not the ability to
violate the rules to which they are subject. Violation capacity and, therefore,
direct blameworthiness that derives from the legal good protected by the norm that is
infringes and the need for said protection to be truly effective […]”


       In short, the conduct of the defendant, specified in the violation of the
principle of legality, in relation to article 20 of the LOPDGDD, violates the article
6.1 of the RGPD, action subsumable in the sanctioning type of article 83.5.a) of the
GDPR



                                          IV
       Consequently, in this appeal the appellant has not provided
new facts or legal arguments that allow us to reconsider the validity of the
contested resolution.


       Considering the aforementioned precepts and others of general application,

       The Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DISMISS the appeal for reconsideration filed by CAIXABANK

PAYMENTS & CONSUMER EFC, EP, S.A.U. against the resolution of this Agency
Spanish Data Protection Regulation issued on 11/13/2023, in the file
EXP202105363.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/31








SECOND: NOTIFY this resolution to CAIXABANK PAYMENTS &
CONSUMER EFC, EP, S.A.U.


THIRD: Warn the sanctioned person that the sanction imposed must be made effective
once this resolution is notified, in accordance with the provisions of the
article 98.1.b) of law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, within the voluntary payment period indicated in the
Article 68 of the General Collection Regulations, approved by Royal Decree
939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17

December, by depositing it into the restricted account number ES00 0000 0000 0000 0000
0000, opened in the name of the Spanish Data Protection Agency in the Bank
CAIXABANK, S.A. or otherwise, it will be collected within the period
executive.


       If the date of the notification is between the 1st and 15th of each month,
both inclusive, the deadline to make the voluntary payment will be until the 20th of the month
next or immediately following business day, and if it is between the 16th and last day of
each month, both inclusive, the payment term will be until the 5th of the second month
following or immediate subsequent business.


       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.

       Against this resolution, which puts an end to the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the Law

39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (LPACAP), interested parties may file an appeal
contentious-administrative case before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.

       Finally, it is noted that in accordance with the provisions of art. 90.3 a) LPACAP,
may provisionally suspend the final resolution through administrative means if the

interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the

cited LPACAP. You must also transfer to the Agency the documentation that proves
the effective filing of the contentious-administrative appeal. If the Agency does not
had knowledge of the filing of the contentious-administrative appeal in the
period of two months from the day following notification of this resolution,
would end the precautionary suspension.


                                                                      Sea Spain Martí
                              Director of the Spanish Data Protection Agency


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es