AEPD (Spain) - EXP202317282: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 63: Line 63:
}}
}}


The DPA found that a lender lacked a legal basis when it erroneously charged debts on a bank account after it failed to verify that the account belonged to the debtor. It also did not comply with the data subject’s deletion request. The controller paid a reduced fine of €150,000 pursuant to national law.
A bank mistakenly linked a data subject's bank account details to an unrelated debtor, which resulted in unsolicited charges on the data subject. The DPA found that the controller lacked a legal basis and imposed a €150,000 fine.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 20 October 2023, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Cetelem, S.A. (the controller). It claimed that the controller, which was a lender, made numerous unsolicited charges on his bank between July and September 2022.  
On 20 October 2023, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Cetelem, S.A. (the controller). It claimed that the controller, which offered lending services, made numerous unsolicited charges on his bank account between July and September 2022.  


The data subject filed numerous complaints with the controller as well as a police report concerning the charges. On 8 August 2022, the data subject requested the deletion of his account data from the controller’s systems, as well as the reimbursement of the amount expended due to the unduly charged bills. The data subject also reproached the controller for attributing his bank account to a third party without previously requesting the relevant certificate of bank ownership from the third party.  
The data subject filed numerous complaints against the controller as well as a police report concerning the charges. On 8 August 2022, the data subject requested the deletion of his account data from the controller’s systems, as well as the reimbursement of the amount expended due to the unduly charged bills. The data subject also reproached the controller for attributing his bank account to a third party without previously requesting the relevant certificate of bank ownership from the third party.  


One year later, in September 2023, the controller again charged the data subject with a new bill from the same unknown third party lender. The data subject complained about the charge, and the controller once again did the same thing in October 2023.  
One year later, in September 2023, the controller again charged the data subject with a new bill from the controller. The data subject complained to the controller about the charge, but the controller once again made another charge in October 2023.  


The controller claimed that the charges occurred as a result of human error during the initial transcription of the bank account. It informed the AEPD that the data subject’s bank account number had been erroneously attributed to a debtor’s contract and subsequently in the controller’s database. It stated that that it deleted the data subject’s account information from its database after the first claim the data subject filed, but that it then sold the debt to a third party company in June 2023 and that the contract still contained the incorrect account number.
The controller claimed that the charges occurred as a result of human error during the initial transcription of the bank account. It informed the AEPD that the data subject’s bank account number had been erroneously attributed to a debtor’s contract and was subsequently stored this way in the controller’s database. It stated that it deleted the data subject’s account information from its database after the first claim the data subject filed, but that it then sold the debt to a third party company in June 2023 and that the contract still contained the incorrect account number.


=== Holding ===
=== Holding ===
The AEPD found that the controller infringed Articles 6(1) and 17 GDPR because it processed the data subject’s account number without a legal basis and failed to comply with the data subject’s deletion request.  
The AEPD found that the controller infringed Articles 6(1) and 17 GDPR because it processed the data subject’s account number without a legal basis and failed to comply with the data subject’s deletion request.  


Since 2022, the controller was processing the data subject’s bank account information in its debt contract with the debtor, in its databases, and in its transmission to a future debt buyer in June 2023. At no point during this period did the controller correct the issue. As a result, the controller was processing the data subject’s data without a legal basis in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The AEPD considered the processing in 2022 and 2023 (between which the data subject had made a deletion request) separately – thus, it found two [[Article 6 GDPR#1|Article 6(1) GDPR]] violations occurred on the separate processing occasions.  
Since 2022, the controller has been erroneously processing the data subject’s bank account information in its debt contract with the third party debtor, in its databases, and in its transmission to a future debt buyer in June 2023. At no point during this period did the controller correct the issue. As a result, the controller was processing the data subject’s data without a legal basis in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The AEPD considered the processing in 2022 and 2023 (between which the data subject had made a deletion request) separately – thus, it found that two [[Article 6 GDPR#1|Article 6(1) GDPR]] violations occurred on the separate processing occasions.  


The AEPD also found that the controller violated [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]] when it failed to delete the data subject’s data pursuant to an erasure request. After it received the data subject’s deletion request and even though it alleged to have erased the data in 2022, the controller continued making charges on the data subject’s account in 2023.  
The AEPD also found that the controller violated [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]] when it failed to delete the data subject’s data pursuant to an erasure request. After it received the data subject’s deletion request and even though it alleged to have erased the data in 2022, the controller continued making charges on the data subject’s account in 2023.  
Line 95: Line 95:


<pre>
<pre>
1/15
RESOLUTION OF TERMINATION OF PROCEDURE BY VOLUNTARY PAYMENT


From the procedure instructed by the Spanish Data Protection Agency and based on the following


BACKGROUND


 
FIRST: On May 21, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against BANCO CETELEM, S.A. (hereinafter, the claimed party) through the Agreement transcribed below:
 
 
 
 
 
 
 
File No.: EXP202317282
 
 
      RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                    VOLUNTEER
 
 
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
 
 
 
                                  BACKGROUND
 
FIRST: On May 21, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against BANCO CETELEM,
S.A. (hereinafter, the claimed party), through the Agreement transcribed:
 


<<
<<


File No.: EXP202317282
File No.: EXP202317282
AGREEMENT TO INITIATE SANCTIONING PROCEDURE
From the actions carried out by the Spanish Data Protection Agency and based on the following


FACTS


FIRST: A.A.A. (hereinafter, the claimant) filed a complaint with the Spanish Data Protection Agency on October 20, 2023. The complaint was directed against BANCO CETELEM, S.A. with NIF A78650348 (hereinafter, CETELEM). The reasons for the complaint are as follows:
The claimant states that CETELEM charges his bank account for loan receipts of an unknown third party. He provides several extracts of these receipts, as well as several claims to CETELEM along with their responses, including a police report. There is an initial series of 8 receipts incorrectly charged to the claimant’s account no. ***ACCOUNT.1, between July and September 2022, at a rate of two receipts per month.
On August 8, 2022, the claimant protested to CETELEM about the misuse of his bank account, requesting the deletion of his bank account data; he also demanded an explanation about how his data was obtained without a prior contractual relationship. He also criticized CETELEM for attributing his bank account to a third party without first requesting the pertinent bank ownership certificate. Additionally, the claimant requested and achieved the return of the amounts of the improperly charged receipts.
Again, a year later, in September 2023, CETELEM charged a new receipt from the same debtor to the claimant’s account. The claimant filed a new claim with CETELEM on 09/21/23; however, CETELEM charged another new receipt on 10/02/23.
CETELEM responded on 10/20/23, acknowledging receipt of the claim, and in its response on 10/23/23, justified its actions by stating that the claimant’s account number appeared in the contract.
Simultaneously, the claimant also filed a report at the ***LOCALITY.1 police station on September 18, 2023.


            AGREEMENT TO START SANCTIONING PROCEDURE
SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the claim was forwarded to the claimed party/ALIAS for analysis and to inform this Agency within one month of the actions taken to comply with the requirements set forth in the data protection regulations.
 
The forwarding, carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was received on December 4, 2023, as evidenced by the acknowledgment of receipt on file.
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following
 
 
                                      FACTS
 
 
FIRST: A.A.A. (hereinafter, the complaining party) dated October 20, 2023
 
filed a claim with the Spanish Data Protection Agency. The
claim is directed against BANCO CETELEM, S.A. with NIF A78650348 (in
forward, CETELEM). The reasons on which the claim is based are the following:
 
The complaining party states that CETELEM loads payment receipts into its bank account.
 
a loan from an unknown third party. Provide several extracts from said receipts, as well
such as several claims before CETELEM along with their responses, including one
police report. There is a first series of 8 receipts improperly charged to the
claimant account no. ***ACCOUNT.1, between the months of July and September 2022,
at a rate of two receipts per month.
 
 
On August 8, 2022, the complaining party protested to CETELEM about the use
improper access to your bank account, requesting the deletion of your account data
banking; also requires an explanation about the obtaining of your data without relation
prior contractual. He also criticized CETELEM for attributing his account
 
bank to a third person, without previously requesting the certificate of ownership
relevant bank. Additionally, the complaining party requested and obtained the return
of the amount of receipts improperly collected.
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/15
 
 
 
 
 
 
 
 
 
Again a year later, in September 2023, from CETELEM it is loaded into the
account of the complaining party a new receipt from the same debtor. The part
claimant submits a new claim to CETELEM on 09/21/23; nevertheless,
CETELEM uploaded a new receipt again on 10/2/23.
 
 
CETELEM reacted on 10/20/23 acknowledging receipt of the claim, and, in its
response of 10/23/23, justifies his actions in that the account number of the
claimant is the one who appears in the contract.
 
At the same time, the complainant has also filed a complaint at the police station.
 
***LOCALITY.1 on September 18, 2023.
 
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the party
 
claimed/ALIAS, to proceed with its analysis and inform this Agency in the
within one month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.
 
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
 
Public (hereinafter, LPACAP), was collected on December 4, 2023,
as stated in the acknowledgment of receipt in the file.
 
THIRD: On December 22, 2023, CETELEM responds to the request of
information from the AEPD.
 
 
CETELEM informs that it deleted the claimant's account data from its database
of data after the first claim, but that sold the debt to a third company
in June 2023, and that the contract still incorrectly included the company number
claimant's bank account.
 
In CETELEM's opinion, responsibility for this new incident would correspond to the
 
new company; However, it took steps to resolve the new series of
improper charges to the claimant's account. Finally concludes that the charges
improper amounts of 2022 and 2023 in the claimant's account have been due to errors
humans.
 
FOURTH: On December 29, 2023, in accordance with article 65 of the
 
LOPDGDD, the claim presented by the complaining party was admitted for processing.
 
FIFTH: According to the report collected from the AXESOR tool, the entity
BANCO CETELEM, S.A. is a company established in 1988 and with a volume
of business 64,855,216 euros in 2022.
 
 
                          FOUNDATIONS OF LAW
 
                                          Yo
                                    Competence
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/15
 
 
 
 
 
 
 
 
 
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
 
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
 
 
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
 
 
                                            II
                                  Unfulfilled obligation
                          Initial treatment without legality article 6
 
Article 4.1 of the GDPR “Definitions” states that:
 
 
“For the purposes of this Regulation it will be understood as:
1) "personal data": any information about an identified natural person or
identifiable ("the interested party"); Any person will be considered an identifiable natural person
whose identity can be determined, directly or indirectly, in particular by
 
an identifier, such as a name, an identification number, data
location, an online identifier or one or more elements of identity
physical, physiological, genetic, mental, economic, cultural or social of said person.”
 
 
 
                            Article 6 Legality of processing
 
1. Treatment will only be legal if at least one of the following is met
conditions:
 
a) the interested party gave his consent for the processing of his personal data
 
for one or more specific purposes;
 
b) the processing is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;
 
 
c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;
 
d) the processing is necessary to protect vital interests of the interested party or another
Physical person;
 
 
e) the processing is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the controller;
 
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/15
 
 
 
 
 
 
 
 
f) the processing is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that regarding said
interests do not prevail over the interests or fundamental rights and freedoms of the
 
interested party requiring the protection of personal data, in particular when the
interested is a child.


The provisions of letter f) of the first paragraph will not apply to the treatment
THIRD: On December 22, 2023, CETELEM responded to the AEPD's request for information.
carried out by public authorities in the exercise of their functions.
CETELEM reported that it deleted the claimant’s account data from its database following the first claim but sold the debt to a third company in June 2023, and the claimant’s bank account number continued to erroneously appear in the contract.
According to CETELEM, the responsibility for this new incident would lie with the new company; however, it assumed the efforts to resolve the new series of improper charges on the claimant’s account. Finally, it concluded that the improper charges in 2022 and 2023 on the claimant’s account were due to human errors.


FOURTH: On December 29, 2023, in accordance with Article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing.


CETELEM has the bank account number of the complaining party. Through
FIFTH: According to the report from the AXESOR tool, the entity BANCO CETELEM, S.A. is a company established in 1988 with a business volume of 64,855,216 euros in 2022.
this identification number, the account holder is an identifiable natural person,
Therefore, this data would be considered personal data, in accordance with the
Article 4 of the GDPR. CETELEM recognizes in several of its writings that the number of
bank account of the claiming party appears in the contract of a debtor, and, therefore


therefore, also in the CETELEM database. For this reason, receipts are collected
LEGAL GROUNDS
of this bank debtor in the claimant's bank account.


Although CETELEM seems to point, in its defense, to errors in the initial transcription
I. Jurisdiction
of the account number, the check digits of bank accounts practically
They make it impossible to mistakenly “create” an authentic account number.


According to the powers granted by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), to each supervisory authority, and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.


This means, as indicated by the complainant, that this error is due to CETELEM
Furthermore, Article 63.2 of the LOPDGDD states: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, subsidiarily, by the general rules on administrative procedures."
would have incorporated the claimant's bank account into the debtor's contract, without
ensure ownership of the account.


II. Obligation Breached


In view of the above, it seems clear that CETELEM would initially have the number
Initial Processing without Lawfulness - Article 6
full account of the claimant's bank account, but does not satisfactorily clarify
How could this information have appeared in a contract of a CETELEM client,
taking into account that the claimant who does not have, nor has had a prior contractual relationship
with this entity.


Article 4.1 of the GDPR “Definitions” states:
“For the purposes of this Regulation:


Between the months of July and September 2022, CETELEMA improperly uploads series
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
of 8 receipts in the claimant's account No. ***ACCOUNT.1, at a rate of two receipts per
Article 6 Lawfulness of Processing
month. On August 8, 2022, the complaining party protested to CETELEM about the use
improper access to your bank account, requesting the deletion of your account data
banking.


Processing shall be lawful only if and to the extent that at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The first subparagraph of point (f) shall not apply to processing carried out by public authorities in the performance of their tasks.”
CETELEM has the bank account number of the claimant. Through this identification number, the account holder is an identifiable natural person, making this data personal data according to Article 4 of the GDPR. CETELEM acknowledges in several of its writings that the claimant's bank account number appears in a debtor's contract and, therefore, also in CETELEM's database. For this reason, the debtor’s receipts are charged to the claimant's bank account.


In September 2023, CETELEM will debit the account of the complaining party.
Although CETELEM seems to attribute the issue to initial transcription errors of the account number, the control digits of bank accounts almost eliminate the possibility of an "accidental" creation of a genuine account number.
a new receipt from the same debtor. The complaining party presents a new
claim to CETELEM on 09/21/23; However, CETELEM again uploaded a
new receipt on 10/2/23.


This suggests, as the claimant indicates, that the error is due to CETELEM incorporating the claimant's bank account into the debtor’s contract without verifying the account’s ownership.


CETELEM had the claimant's account number since 2022, the first in its
Given the above, it appears clear that CETELEM initially had the claimant's full bank account number, but it does not satisfactorily explain how this information appeared in a CETELEM client’s contract, given that the claimant has no prior contractual relationship with this entity.
database and in the debt contract, and in 2023 your account number in the following
in the debtor's contract, without having rectified or deleted this information.
CETELEM declares that it has also transferred the claimant's account to a third party.


company in June 2023 with the sale of the debt.
Between July and September 2022, CETELEM improperly charged a series of 8 receipts to the claimant’s account no. ***ACCOUNT.1, at a rate of two receipts per month. On August 8, 2022, the claimant protested to CETELEM about the misuse of his bank account, requesting the deletion of his bank account data.


In this way, CETELEM would have processed the claimant's personal information without
In September 2023, CETELEM charged a new receipt from the same debtor to the claimant’s account. The claimant filed a new claim with CETELEM on 09/21/23; however, CETELEM charged another new receipt on 10/02/23.
legality, given that there is no consent, nor is there any legal or contractual obligation,


C/ Jorge Juan, 6 www.aepd.es
CETELEM had the claimant’s account number in its database and in the debt contract since 2022, and in 2023, the account number remained in the debtor’s contract without being corrected or deleted. CETELEM also transferred the claimant's account data to a third company in June 2023 with the sale of the debt.
28001 – Madrid sedeagpd.gob.es 5/15


Thus, CETELEM processed the claimant's personal information without lawful basis, given that there was no consent, legal, or contractual obligation to justify its processing. As a result of this processing, the claimant endured various charges for a debt in his account over several months in 2022 and 2023, for a debt held by another person.


III. Classification and Assessment of the Infraction


Based on the evidence currently available, and without prejudice to what may result from the instruction and according to the known facts, the claimant is identifiable through his bank account number, in which CETELEM charges a series of receipts.


The claimant is not the owner of the debts charged and has no prior contractual relationship with CETELEM. This means that CETELEM performs this processing without lawfulness, as it does not have the consent of the data subject.


The known facts could constitute an infraction, attributable to CETELEM, of Article 6 of the GDPR (Lawfulness of Processing), due to processing without a legitimate basis.


This infraction of the GDPR article is classified in Article 83.5.a) as follows:
“5. Infringements of the following provisions shall be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
a) the basic principles for processing, including conditions for consent pursuant to Articles 5, 6, 7, and 9;”


For the purposes of the statute of limitations for infractions, the imputed infraction prescribes in three years, in accordance with Article 72.1.b of the LOPDGDD, which qualifies the following conduct as very serious:
“b) The processing of personal data without any of the conditions of lawfulness of processing established in Article 6 of Regulation (EU) 2016/679.”


that justifies its treatment and as a consequence of this treatment, the claimant
IV. Proposed Sanction
you have borne various charges of a debt on your account for several months in
2022 and 2023, of a debt whose owner was another person.


This infraction can be sanctioned with an administrative fine of up to 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.


                                          III
Article 83.2 of the GDPR on general conditions for imposing administrative fines states that they will be imposed, depending on the circumstances of each individual case, additionally or alternatively to the measures contemplated in Article 58, section 2, letters a) to h) and j).
                        Classification and classification of the offense


In accordance with the evidence available at the present time, and
In the present case, it would be appropriate to apply section a) which states:
Without prejudice to what results from the instruction and according to the known facts, the
“a) the nature, gravity, and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of data subjects affected and the level of damage and harm they have suffered;”


claimant is identifiable through his bank account number in which
The nature and scope of the processing affect the claimant's property rights as CETELEM charges his bank account.
CETELEM uploads a series of receipts.


The claiming party is not the owner of the debts charged and does not have, nor has it had
Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, states the following in letter b):
any prior contractual relationship with CETELEM. This means that CETELEM carries out
“2. According to the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be considered:
b) The link between the infringer's activity and the processing of personal data.


this treatment without legality, as it does not have the consent of the interested party.
CETELEM is a banking entity, so it has a qualified link in the processing of personal data, especially concerning the accuracy of its processing.


The known facts could constitute an infringement, attributable to the party
In view of the foregoing, a fine of 100,000 EUR is proposed.
to CETELEM, of article 6 of the RGPD (Legitimacy of processing), for processing without
basis of legitimation.


V. Breach of Right to Erasure - Article 17(1)(d) of the GDPR


This violation of the GDPR article is classified in article 83.5. a) as follows:
Article 17 of the GDPR, relating to the right to erasure, states the following in section 1(d):


"5. Violations of the following provisions will be sanctioned, in accordance with the
"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
 
global total annual business volume of the previous financial year, opting for
the largest amount:
 
a) the basic principles for the treatment, including the conditions for the
consent in accordance with articles 5, 6, 7 and 9;”
 
 
 
For the purposes of the limitation period for infringements, the alleged infringement
prescribes after three years, in accordance with article 72.1.b of the LOPDGDD, which qualifies as
The following behavior is very serious:
 
 
“b) The processing of personal data without any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679.”
 
                                          IV
                                Sanction proposal
 
 
This violation can be punished with an administrative fine of EUR 20,000,000.
maximum or, in the case of a company, an amount equivalent to 4% as
maximum of the total global annual turnover of the previous financial year,
opting for the largest amount.
 
 
Article 83.2 of the GDPR on general conditions for the imposition of fines
administrative provisions established will be imposed, depending on the circumstances of each case
 
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/15
 
 
 
 
 
 
 
 
individually, as an additional or substitute for the measures contemplated in the article
58, section 2, letters a) to h) and j).
 
 
In the present case, section a) would apply, which establishes:
“a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages that
 
have suffered;”
 
 
The nature and scope of the processing affects the economic rights of the
claimant when CETELEM makes charges to his bank account.
Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, establishes
 
the following in letter b):
 
"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
 
b) The linking of the offender's activity with the performance of medical treatment.
 
personal information".
CETELEM is a banking entity, so it has a qualified connection in the
 
processing of personal data, in particular, with accuracy in its
treatment.
 
 
In view of the above, a fine of €100,000 is proposed.
 
                                            V
                                Unfulfilled obligation
                      Right to erasure 17 1. d) of the GDPR
 
 
For its part, article 17 of the RGPD, relating to the right of deletion, establishes what
following in section 1 d):
 
“The interested party will have the right to obtain without undue delay from the person responsible for the
processing the deletion of personal data that concerns you, which will be
 
obliged to delete personal data without undue delay when any
of the following circumstances:
(…)
(…)
d) the personal data have been processed unlawfully;
d) the personal data have been unlawfully processed;
(…)”
(…)”


In September and October 2023, according to the bank receipts provided by the claimant, CETELEM made new charges to his account. CETELEM acknowledges its breach of the right to erasure requested by stating that the rectification and erasure of the claimant’s account took place only in the database, but not in the contract, which was the legal basis of the debt.


In September and October 2023, according to the bank receipts provided by the party
The obligation of the controller to proceed with the erasure of unlawfully processed data without undue delay is also reflected in Article 5.1(d) of the GDPR:
claimant, CETELEM returned to make new charges to his account. Recognize
CETELEM its breach of the requested right of deletion, when it declares that
the rectification and deletion of the claimant's account took place only on the basis of
data, but not in the contract that was the legal basis of the debt.
 
 
 
 
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/15
 
 
 
 
 
 
 
 
The obligation on the part of the person responsible for the file to proceed with the deletion without
delay of illicitly processed data is also included in article 5.1.d) of the
GDPR:
 


1. Personal data will be:
"1. Personal data shall be:
(…)
(…)
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(…)”


d) accurate and, if necessary, updated; all measures will be taken
"2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
reasonable grounds for the immediate deletion or rectification of personal data


are inaccurate with respect to the purposes for which they are processed (“accuracy”);
In light of the described facts, it seems clear that CETELEM limited itself to erasing the claimant’s data only from the database, but not from the contract. More than a year after the claim, CETELEM has not taken all reasonable steps for the erasure and rectification without delay of the claimant’s data.
(…)


2. The person responsible for the treatment will be responsible for compliance with the provisions
VI. Classification and Assessment of the Infraction
in section 1 and able to demonstrate it ("proactive responsibility").


Based on the available evidence at present and without prejudice to the outcome of the proceedings, it is considered that CETELEM did not effectively erase the claimant's account number in September and October 2023. According to CETELEM's own statement, it only erased the data in the database, but not in the contract underlying the improper charges, despite the exercise of the right to erasure without the data subject’s consent on August 8, 2022.


In view of the facts described, it seems clear that CETELEM would only have limited
As a result of the improper processing, CETELEM again made unjustified charges to the claimant's account from another person.
delete the claimant's data only from the database, but not from the contract.
CETELEM more than 1 year after the claim, has not adopted all the
reasonable measures for the immediate deletion and rectification of data of the party
claimant.


The known facts could constitute an infraction, attributable to CETELEM, of Article 17.1(d) of the GDPR, relating to the right to erasure, which states:


                                          SAW
"1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
                        Classification and classification of the offense
 
In accordance with the evidence available at the present time and without prejudice
 
of what results from the instruction, it is considered that CETELEM has not suppressed
effectively the claimant's account number in September and October
2023. According to its own statement, CETELEM would have only proceeded to delete
the database, but not in the base contract of the improper charges, despite the
exercise of the right of deletion without the consent of the interested party on August 8
 
of 2022.
 
As a consequence of the improper treatment indicated, CETELEM has once again carried out
unjustified charges from another person on the claimant's account.
 
The known facts could constitute an infringement, attributable to the party
 
to CETELEM, of article 17.1.d) of the RGPD, relating to the right of deletion, which
establishes the following:
 
“1) The interested party will have the right to obtain without undue delay from the person responsible for the
processing the deletion of personal data that concerns you, which will be
 
obliged to delete personal data without undue delay when any
of the following circumstances:
(…)
(…)
d) the personal data have been processed unlawfully;
d) the personal data have been unlawfully processed;
(…)”
(...)"
 
 
This violation of the GDPR article is classified in article 83.5.b) as follows:
"5. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/15
 
 
 
 
 
 
 
 
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
 
 
b) the rights of the interested parties under articles 12 to 22;”
 
For the purposes of the limitation period for infringements, as it is a
punctual breach of the right of deletion, the alleged infringement prescribes to the
year, in accordance with article 74.1.c of the LOPDGDD, which qualifies as slight the following
 
conduct:
 
“c) Not responding to requests to exercise the rights established in the articles
15 to 22 of Regulation (EU) 2016/679, unless the provisions are applicable
in article 72.1.k) of this organic law.”
 
 
                                          VII
                                Sanction proposal
 
This violation can be punished with an administrative fine of EUR 20,000,000.
maximum or, in the case of a company, an amount equivalent to 4% as
 
maximum of the total global annual turnover of the previous financial year,
opting for the largest amount.
 
Article 83.2 of the GDPR on general conditions for the imposition of fines
administrative provisions established will be imposed, depending on the circumstances of each case
 
individually, as an additional or substitute for the measures contemplated in the article
58, section 2, letters a) to h) and j).
 
In the present case, it would be appropriate to apply sections a) and b) that establish:
“a) the nature, severity and duration of the infringement, taking into account the
 
nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages that
have suffered;
 
 
The effective suppression of the requested treatment has far exceeded the period of 1
year, which is considered an aggravating factor in liability. The breach of
duty of accuracy of the data, has forced the complaining party to reiterate the
deletion of their data, even the complaining party going so far as to file a complaint
before the police, for fraud.
 
 
“b) intentionality or negligence in the infringement.”
 
The deletion of the account number of the complaining party only in the database, but
not in the contract, would point to negligent behavior on the part of CETELEM.
 
 
Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, establishes
the following in letter b):
 
"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
 
may also be taken into account:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/15
 
 
 
 
 
 
 
 
 
b) The linking of the offender's activity with the performance of medical treatments.
personal information".
 
CETELEM is a banking entity, so it has a qualified connection in the
processing of personal data, in particular, with accuracy in its
treatment.
 
In view of the above, a fine of €50,000 is proposed.
 
 
 
                              VIII Unfulfilled obligation
                        Second treatment without legality article 6
 
Article 4.2 of the GDPR “Definitions” establishes that:
 
“For the purposes of this Regulation it will be understood as:
 
 
2) "treatment": any operation or set of operations performed on
personal data or sets of personal data, whether by procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
 
communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction;” (…)
 
In September and October 2023, two new charges were made to the account again
of the claimant for the same debtor, which means that CETELEM would not have
 
proceeded to delete the data of the complaining party. CETELEM informs the
AEAT in this regard in the previous actions, which has sold the debt to a third party
company along with the contract that contains the erroneous data of the complaining party.
 
It states that, as a consequence of the sale of the debt, the responsibility for the
accuracy of the data would already be the responsibility of the new company and which, however, has had
 
or take care of the resolution of the new incident of improper charges on the account
of the claimant.
 
With the transfer of the checking account number of the complaining party to a third party,
makes
 
CETELEM a new data processing (“communication by transmission”, the article
4.2 of the RGPD), for which it is necessary to comply again with the conditions of
legality provided for in article 6 of the RGPD:
 
1. Treatment will only be legal if at least one of the following is met
 
conditions:
 
a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;
 
b) the processing is necessary for the execution of a contract in which the interested party
 
is part of or for the application at his request of pre-contractual measures;
 
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/15
 
 
 
 
 
 
 
 
c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;
 
 
CETELEM already lacks legality for account data in August 2022
current of the claimed part; does not have the consent of the interested party and the
treatment carried out is not necessary for compliance with a legal obligation or
contractual.
 
This is information that should never have been available and whose deletion, requested by the
 
interested. Since the year prior to this transfer, CETELEM has been aware of the lack of
legality of this treatment, because the complaining party had already exercised its right to
deletion due to illicit processing of your bank account number.
 
CETELEM has kept the information improperly claimed and with the sale of
 
the debt, would have carried out a new treatment, informing a third company
the account data of the claimed party without the conditions of legality provided for in
article 6.1.a) of the GDPR.
 
 
                                          IX
 
                        Classification and classification of the offense
 
In accordance with the evidence available at the present time, and
Without prejudice to what results from the instruction, CETELEM recognizes before the AEPD the
transfer of the account number of the complaining party to a third company, which is a
 
new processing carried out with the manifest opposition of the interested party.
 
The known facts could constitute an infringement, attributable to
CETELEM, of article 6 of the RGPD (legality of processing), by processing
consisting of the transfer of interested party data to third parties without the consent of the interested party.
 
interested:
 
 
This violation of the GDPR article is classified in article 83.5. a) as follows:
 
"5. Violations of the following provisions will be sanctioned, in accordance with the
 
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
 
 
a) the basic principles for the treatment, including the conditions for the
consent in accordance with articles 5, 6, 7 and 9;”
 
For the purposes of the limitation period for infringements, the alleged infringement
prescribes after three years, in accordance with article 72.1.b of the LOPDGDD, which qualifies as
 
The following behavior is very serious:
 
“b) The processing of personal data without any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679.”
 
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/15
 
 
 
 
 
 
 
 
 
 
                                          x


                                Sanction proposal
This infraction of the GDPR article is classified in Article 83.5(b) as follows:


This violation can be punished with an administrative fine of EUR 20,000,000.
"5. Infringements of the following provisions shall be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
maximum or, in the case of a company, an amount equivalent to 4% as
b) the rights of the data subjects pursuant to Articles 12 to 22;"
maximum of the total global annual turnover of the previous financial year,
opting for the largest amount.


For the purposes of the statute of limitations for infractions, since this is a specific failure to comply with the right to erasure, the imputed infraction prescribes in one year, in accordance with Article 74.1(c) of the LOPDGDD, which qualifies the following conduct as minor:
"c) Failure to respond to requests to exercise the rights established in Articles 15 to 22 of Regulation (EU) 2016/679, unless the provisions of Article 72.1.k) of this organic law apply."


Article 83.2 of the GDPR establishes that administrative fines will be imposed, in
VII. Proposed Sanction
depending on the circumstances of each individual case, in addition to or in lieu of
the measures referred to in Article 58, paragraph 2, letters a) to h) and j). For its part,
Article 76 of the LOPDGDD, relating to sanctions and corrective measures, establishes


that:
This infraction can be sanctioned with an administrative fine of up to 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.


"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
Article 83.2 of the GDPR on general conditions for imposing administrative fines states that they will be imposed, depending on the circumstances of each individual case, additionally or alternatively to the measures contemplated in Article 58, section 2, letters a) to h) and j).
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.


In the present case, it would be appropriate to apply sections a) and b) which state:
“a) the nature, gravity, and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of data subjects affected and the level of damage and harm they have suffered;”


2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The effective erasure of the requested processing has exceeded the period of 1 year, which is considered an aggravating factor of responsibility. The failure to maintain data accuracy has forced the claimant to repeatedly request the erasure of his data, even leading him to file a police report for fraud.
may also be taken into account:


“b) The linking of the offender's activity with the performance of treatment
“b) the intentionality or negligence of the infringement.
personal information".


The erasure of the claimant’s account number only in the database, but not in the contract, indicates negligent behavior by CETELEM.


CETELEM is a banking entity, so it has a qualified connection in the
Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, states the following in letter b):
processing of personal data, in particular, with accuracy in its
“2. According to the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be considered:
treatment, so obtaining the account number is especially serious.
b) The link between the infringer's activity and the processing of personal data.”
bank of the claimant, its maintenance, despite the right of deletion of the


interested party, and finally the transfer to a third party without effective verification of the
CETELEM is a banking entity, so it has a qualified link in the processing of personal data, especially concerning the accuracy of its processing.
accuracy of the data.


In view of the above, a fine of €100,000 is proposed.
In view of the foregoing, a fine of 50,000 EUR is proposed.


VIII. Obligation Breached


Second Unlawful Processing - Article 6


                                          XI
Article 4.2 of the GDPR "Definitions" states:
                                Adoption of measures
"For the purposes of this Regulation:
2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;"


If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of
In September and October 2023, two new charges were made to the claimant's account for the same debtor, indicating that CETELEM had not erased the claimant's data. CETELEM informed the AEAT in previous actions that it sold the debt to a third company along with the contract containing the erroneous claimant's data. CETELEM claims that as a result of the debt sale, the responsibility for data accuracy now lies with the new company and that it nonetheless has taken steps to resolve the new incident of improper charges to the claimant's account.
appropriate measures to adjust its actions to the regulations mentioned in this


act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
By transferring the claimant's account number to a third party, CETELEM engaged in a new data processing operation ("disclosure by transmission," Article 4.2 of the GDPR), for which it is necessary to comply again with the lawfulness conditions set out in Article 6 of the GDPR:
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…” The imposition of this measure is compatible with the sanction


consisting of an administrative fine, as provided in art. 83.2 of the GDPR.
Processing shall be lawful only if at least one of the following applies:
It could then be agreed to adopt appropriate organizational measures to
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
avoid errors in the future such as the one produced in this case within a period of 3 months, as well
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
As of August 2022, CETELEM lacked the legal basis to process the claimant's account data; it did not have the data subject's consent, and the processing was not necessary for compliance with a legal or contractual obligation.


This information should never have been in CETELEM's possession, and its erasure was requested by the data subject. Since the previous year, CETELEM has been aware of the unlawfulness of this processing because the claimant had already exercised his right to erasure due to the unlawful processing of his bank account number.


C/ Jorge Juan, 6 www.aepd.es
CETELEM improperly retained the claimed information and, by selling the debt, engaged in a new processing activity by disclosing the claimant's account data to a third company without meeting the lawfulness conditions set out in Article 6.1(a) of the GDPR.
28001 – Madrid sedeagpd.gob.es 12/15


IX. Classification and Assessment of the Infraction


Based on the available evidence at present and without prejudice to the outcome of the proceedings, CETELEM acknowledges before the AEPD the transfer of the claimant's account number to a third company, which constitutes a new processing carried out with the express opposition of the data subject.


The known facts could constitute an infraction, attributable to CETELEM, of Article 6 of the GDPR (lawfulness of processing), for processing that involves the transfer of the data subject's information to third parties without the data subject's consent:


This infraction of the GDPR article is classified in Article 83.5.a) as follows:
"5. Infringements of the following provisions shall be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
a) the basic principles for processing, including conditions for consent pursuant to Articles 5, 6, 7, and 9;"


For the purposes of the statute of limitations for infractions, the imputed infraction prescribes in three years, in accordance with Article 72.1.b of the LOPDGDD, which qualifies the following conduct as very serious:
"b) The processing of personal data without any of the conditions of lawfulness of processing established in Article 6 of Regulation (EU) 2016/679."


X. Proposed Sanction


This infraction can be sanctioned with an administrative fine of up to 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.


such as the communication of suppression of the treatment to the company to which CETELEM
Article 83.2 of the GDPR states that administrative fines will be imposed, depending on the circumstances of each individual case, additionally or alternatively to the measures contemplated in Article 58, section 2, letters a) to h) and j). Article 76 of the LOPDGDD, relating to sanctions and corrective measures, establishes that:
transferred the data of the complaining party, due to the sale of the debt.
"1. The sanctions provided for in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the graduation criteria established in section 2 of the cited article.
2. According to the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be considered:
b) The link between the infringer's activity and the processing of personal data."


CETELEM is a banking entity, which means it has a qualified link in the processing of personal data, especially regarding the accuracy of its processing. This makes the acquisition of the claimant's bank account number, its retention despite the data subject's right to erasure, and finally its transfer to a third party without effective verification of the data's accuracy particularly serious.


It is warned that failure to comply with the possible order to adopt measures imposed by
In view of the foregoing, a fine of 100,000 EUR is proposed.
This body in the sanctioning resolution may be considered as a
administrative offense in accordance with the provisions of the RGPD, classified as
infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a
subsequent administrative sanctioning procedure.


XI. Adoption of Measures


Therefore, in accordance with the above, by the Director of the Agency
If the infraction is confirmed, it could be decided to impose on the controller the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with Article 58.2(d) of the GDPR, which states that each supervisory authority may “order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period...”. The imposition of this measure is compatible with the administrative fine sanction, as provided in Article 83.2 of the GDPR.
Spanish Data Protection,
HE REMEMBERS:


FIRST: START SANCTIONING PROCEDURE against BANCO CETELEM, S.A.,
Therefore, it could be decided to adopt appropriate organizational measures to avoid future errors like the one in this case within 3 months, as well as to communicate the erasure of the data processing to the company to which CETELEM transferred the claimant's data, due to the sale of the debt.


with NIF A78650348, for two alleged violations of articles 6 and one violation
It is warned that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution could be considered an administrative infraction under the GDPR, classified as an infraction in Articles 83.5 and 83.6, and such conduct could motivate the initiation of a subsequent administrative sanctioning procedure.
of article 17.1.d) of the RGPD, all of them classified in article 83.5 of the RGPD.


SECOND: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C.,
Therefore, in view of the foregoing, the Director of the Spanish Data Protection Agency agrees:
indicating that they may be challenged, if applicable, in accordance with the provisions of the


articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
FIRST: TO INITIATE SANCTIONING PROCEDURE against BANCO CETELEM, S.A., with NIF A78650348, for two alleged infractions of Article 6 and one infraction of Article 17.1(d) of the GDPR, all of them classified in Article 83.5 of the GDPR.
Public (LRJSP).


THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
SECOND: TO APPOINT B.B.B. as instructor and C.C.C. as secretary, indicating that they may be challenged, if applicable, in accordance with Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP).
claim filed by the complaining party and its documentation, as well as the


documents obtained and generated by the General Subdirectorate of Inspection of
THIRD: TO INCORPORATE into the sanctioning file, for evidentiary purposes, the complaint filed by the claimant and its documentation, as well as the documents obtained and generated by the Subdirectorate General of Data Inspection in the actions prior to the initiation of this sanctioning procedure.
Data in the actions prior to the start of this sanctioning procedure.


FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
FOURTH: FOR the purposes provided in Article 64.2(b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be two hundred and fifty thousand euros (€250,000), one hundred thousand euros (€100,000) for the initial infraction of Article 6, fifty thousand (€50,000) for the infraction of Article 17.1(d), and one hundred thousand euros (€100,000) for the second infraction of Article 6, without prejudice to the result of the instruction.
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be two hundred and fifty thousand euros


(€250,000), one hundred thousand euros (€100,000) for the initial violation of art 6, fifty thousand
FIFTH: TO NOTIFY this agreement to BANCO CETELEM, S.A., with NIF A78650348, granting a hearing period of ten business days to make allegations and present evidence deemed appropriate. In the statement of allegations, the NIF and the file number in the heading of this document must be provided.
(€50,000) for the violation of article 17.1.d) and one hundred thousand euros (€100,000) for the
second violation of article 6, without prejudice to what results from the investigation.


FIFTH: NOTIFY this agreement to BANCO CETELEM, S.A., with NIF
If within the stipulated period no allegations are made to this initiation agreement, it may be considered a proposed resolution, as provided in Article 64.2(f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).


A78650348, granting him a hearing period of ten business days to formulate
In accordance with Article 85 of the LPACAP, responsibility may be acknowledged within the period granted for making allegations to this initiation agreement; this will entail a 20% reduction in the sanction to be imposed in this procedure. With the application of this reduction, the sanction would be set at two hundred thousand euros (€200,000), resolving the procedure with the imposition of this sanction.
the allegations and present the evidence that you consider appropriate. In his writing of
allegations must provide your NIF and the file number that appears in the
heading of this document.


Similarly, at any time before the resolution of this procedure, voluntary payment of the proposed sanction may be made, which will entail a 20% reduction of its amount. With the application of this reduction, the sanction would be set at two hundred thousand euros (€200,000) and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures.


If within the stipulated period you do not make allegations to this initial agreement, the same
The reduction for voluntary payment of the sanction is cumulative to that applicable for acknowledgment of responsibility, provided that this acknowledgment of responsibility is expressed within the period granted for making allegations to the initiation of the procedure. Voluntary payment of the referred amount of two hundred thousand euros (€200,000), or one hundred and fifty thousand euros (€150,000) if both reductions are applied, must be made into the account IBAN: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXX) opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure listed in the heading of this document and the reason for the reduction being applied.
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).


In accordance with the provisions of article 85 of the LPACAP, you may recognize your
Additionally, proof of payment must be sent to the Subdirectorate General of Inspection to continue the procedure in accordance with the amount paid.


responsibility within the period granted for the formulation of allegations to the
The procedure will have a maximum duration of twelve months from the date of the initiation agreement. If this period elapses without a resolution being issued and notified, the procedure will expire, resulting in the archiving of actions; in accordance with Article 64 of the LOPDGDD.
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this


Finally, it is noted that in accordance with Article 112.1 of the LPACAP, no administrative appeal is possible against this act.


C/ Jorge Juan, 6 www.aepd.es
Mar España Martí
28001 – Madrid sedeagpd.gob.es 13/15
 
 
 
 
 
 
 
 
reduction, the penalty would be established at two hundred thousand euros (€200,000),
resolving the procedure with the imposition of this sanction.
 
 
Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,
The sanction would be established at two hundred thousand euros (€200,000) and its payment
will imply the termination of the procedure, without prejudice to the imposition of the
corresponding measures.
 
 
The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
 
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at one hundred and fifty thousand euros (€150,000).
 
In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
 
administrative against the sanction.
 
In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above two hundred thousand euros (€200,000), or one hundred and fifty thousand
euros (€150,000) must be made effective by depositing it into the IBAN account number:
 
ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX) open to
name of the Spanish Data Protection Agency in the banking entity
CAIXABANK, S.A., indicating in the concept the reference number of the
procedure that appears in the heading of this document and the cause of
reduction of the amount to which it is accepted.
 
 
Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.
 
The procedure will have a maximum duration of twelve months from the date
 
of the initiation agreement. After that period has elapsed without it having been issued and notified
resolution will expire and, consequently, the proceedings will be archived;
in accordance with the provisions of article 64 of the LOPDGDD
 
Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
 
There is no administrative appeal against this act.
 
Sea Spain Martí
Director of the Spanish Data Protection Agency
Director of the Spanish Data Protection Agency


>>
>>


SECOND: On May 31, 2024, the claimed party has proceeded to pay
SECOND: On May 31, 2024, the claimed party proceeded to pay the sanction in the amount of 150,000 euros using the two reductions provided in the previously transcribed initiation agreement, which implies the acknowledgment of responsibility.
of the penalty in the amount of 150,000 euros making use of the two reductions


C/ Jorge Juan, 6 www.aepd.es
THIRD: The payment made, within the period granted to submit allegations to the initiation of the procedure, entails the waiver of any action or appeal in administrative proceedings against the sanction and the acknowledgment of responsibility in relation to the facts referred to in the Initiation Agreement.
28001 – Madrid sedeagpd.gob.es 14/15


FOURTH: In the previously transcribed Initiation Agreement, it was stated that, if the infraction is confirmed, it could be decided to impose on the controller the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with Article 58.2(d) of the GDPR, which states that each supervisory authority may “order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period...”.


Having acknowledged responsibility for the infraction, it is appropriate to impose the measures included in the Initiation Agreement.


LEGAL GROUNDS


I. Jurisdiction


According to the powers granted by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), to each supervisory authority, and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.


Furthermore, Article 63.2 of the LOPDGDD states: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, subsidiarily, by the general rules on administrative procedures."


II. Termination of the Procedure


provided for in the initiation Agreement transcribed above, which implies the
Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination in sanctioning procedures," provides the following:
recognition of responsibility.


“1. Once a sanctioning procedure has been initiated, if the offender acknowledges their responsibility, the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary or when both a pecuniary and a non-pecuniary sanction can be imposed but the latter is deemed inappropriate, voluntary payment by the alleged offender at any time prior to the resolution will result in the termination of the procedure, except in relation to the restoration of the altered situation or the determination of compensation for damages caused by the commission of the infraction.
3. In both cases, when the sanction is solely pecuniary, the competent body to resolve the procedure will apply reductions of at least 20% on the proposed sanction amount, which can be cumulative. These reductions must be determined in the initiation notification of the procedure, and their effectiveness will be conditional on the waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this section may be increased by regulation.”


THIRD: The payment made, within the period granted to formulate allegations to
In accordance with the aforementioned,
The opening of the procedure entails the renunciation of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.


FOURTH: In the initiation Agreement transcribed previously it was stated that,
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”
Having recognized responsibility for the infraction, the imposition of penalties proceeds.
the measures included in the Initiation Agreement.
                          FOUNDATIONS OF LAW
                                          Yo
                                    Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
                                          II
                            Termination of the procedure
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/15
2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.
The reduction percentage provided for in this section may be increased
“regularly.”
According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: DECLARE the termination of procedure EXP202317282, of
FIRST: TO DECLARE the termination of procedure EXP202317282, in accordance with Article 85 of the LPACAP.
in accordance with the provisions of article 85 of the LPACAP.


SECOND: TO ORDER BANCO CETELEM, S.A. to, within 3 months from the date this resolution becomes final and enforceable, notify the Agency of the adoption of the measures described in the legal grounds of the Initiation Agreement transcribed in this resolution.


SECOND: ORDER BANCO CETELEM, S.A. so that within 3 months
THIRD: TO NOTIFY this resolution to BANCO CETELEM, S.A.
Since this resolution is final and enforceable, notify the Agency of the
adoption of the measures described in the legal foundations of the
Initiation agreement transcribed in this resolution.


In accordance with Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.


THIRD: NOTIFY this resolution to BANCO CETELEM, S.A..
Against this resolution, which puts an end to the administrative process as stipulated in Article 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the interested parties may file a contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and Section 5 of the Fourth Additional Provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, as provided in Article 46.1 of the aforementioned Law.


In accordance with the provisions of article 50 of the LOPDGDD, this
Mar España Martí
Resolution will be made public once it has been notified to the interested parties.
 
 
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
 
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
 
 
 
                                                                            1259-16012024
Sea Spain Martí
Director of the Spanish Data Protection Agency
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
</pre>
</pre>

Latest revision as of 07:56, 10 July 2024

AEPD - EXP202317282
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 17(1)(d) GDPR
Type: Complaint
Outcome: Upheld
Started: 10.10.2023
Decided:
Published: 25.06.2024
Fine: 150,000 EUR
Parties: Banco Cetelem, S.A.
National Case Number/Name: EXP202317282
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

A bank mistakenly linked a data subject's bank account details to an unrelated debtor, which resulted in unsolicited charges on the data subject. The DPA found that the controller lacked a legal basis and imposed a €150,000 fine.

English Summary

Facts

On 20 October 2023, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Cetelem, S.A. (the controller). It claimed that the controller, which offered lending services, made numerous unsolicited charges on his bank account between July and September 2022.

The data subject filed numerous complaints against the controller as well as a police report concerning the charges. On 8 August 2022, the data subject requested the deletion of his account data from the controller’s systems, as well as the reimbursement of the amount expended due to the unduly charged bills. The data subject also reproached the controller for attributing his bank account to a third party without previously requesting the relevant certificate of bank ownership from the third party.

One year later, in September 2023, the controller again charged the data subject with a new bill from the controller. The data subject complained to the controller about the charge, but the controller once again made another charge in October 2023.

The controller claimed that the charges occurred as a result of human error during the initial transcription of the bank account. It informed the AEPD that the data subject’s bank account number had been erroneously attributed to a debtor’s contract and was subsequently stored this way in the controller’s database. It stated that it deleted the data subject’s account information from its database after the first claim the data subject filed, but that it then sold the debt to a third party company in June 2023 and that the contract still contained the incorrect account number.

Holding

The AEPD found that the controller infringed Articles 6(1) and 17 GDPR because it processed the data subject’s account number without a legal basis and failed to comply with the data subject’s deletion request.

Since 2022, the controller has been erroneously processing the data subject’s bank account information in its debt contract with the third party debtor, in its databases, and in its transmission to a future debt buyer in June 2023. At no point during this period did the controller correct the issue. As a result, the controller was processing the data subject’s data without a legal basis in violation of Article 6(1) GDPR. The AEPD considered the processing in 2022 and 2023 (between which the data subject had made a deletion request) separately – thus, it found that two Article 6(1) GDPR violations occurred on the separate processing occasions.

The AEPD also found that the controller violated Article 17(1)(d) GDPR when it failed to delete the data subject’s data pursuant to an erasure request. After it received the data subject’s deletion request and even though it alleged to have erased the data in 2022, the controller continued making charges on the data subject’s account in 2023.

The AEPD recommended a sanction of €250,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €150,000.

Comment

The AEPD rejected the controller’s defense that human error resulted in an erroneous transcription of the bank account number, noting that it is extremely difficult to ‘accidentally’ create an authentic account number in error. Instead, the AEPD considered that the controller incorporated the data subject’s bank account information into the debtor’s contract without verifying that the debtor owned the account in question. Interestingly, though, security measures were not a substantive part of the AEPD's analysis or infringement findings.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

RESOLUTION OF TERMINATION OF PROCEDURE BY VOLUNTARY PAYMENT

From the procedure instructed by the Spanish Data Protection Agency and based on the following

BACKGROUND

FIRST: On May 21, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against BANCO CETELEM, S.A. (hereinafter, the claimed party) through the Agreement transcribed below:

<<

File No.: EXP202317282
AGREEMENT TO INITIATE SANCTIONING PROCEDURE
From the actions carried out by the Spanish Data Protection Agency and based on the following

FACTS

FIRST: A.A.A. (hereinafter, the claimant) filed a complaint with the Spanish Data Protection Agency on October 20, 2023. The complaint was directed against BANCO CETELEM, S.A. with NIF A78650348 (hereinafter, CETELEM). The reasons for the complaint are as follows:
The claimant states that CETELEM charges his bank account for loan receipts of an unknown third party. He provides several extracts of these receipts, as well as several claims to CETELEM along with their responses, including a police report. There is an initial series of 8 receipts incorrectly charged to the claimant’s account no. ***ACCOUNT.1, between July and September 2022, at a rate of two receipts per month.
On August 8, 2022, the claimant protested to CETELEM about the misuse of his bank account, requesting the deletion of his bank account data; he also demanded an explanation about how his data was obtained without a prior contractual relationship. He also criticized CETELEM for attributing his bank account to a third party without first requesting the pertinent bank ownership certificate. Additionally, the claimant requested and achieved the return of the amounts of the improperly charged receipts.
Again, a year later, in September 2023, CETELEM charged a new receipt from the same debtor to the claimant’s account. The claimant filed a new claim with CETELEM on 09/21/23; however, CETELEM charged another new receipt on 10/02/23.
CETELEM responded on 10/20/23, acknowledging receipt of the claim, and in its response on 10/23/23, justified its actions by stating that the claimant’s account number appeared in the contract.
Simultaneously, the claimant also filed a report at the ***LOCALITY.1 police station on September 18, 2023.

SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the claim was forwarded to the claimed party/ALIAS for analysis and to inform this Agency within one month of the actions taken to comply with the requirements set forth in the data protection regulations.
The forwarding, carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was received on December 4, 2023, as evidenced by the acknowledgment of receipt on file.

THIRD: On December 22, 2023, CETELEM responded to the AEPD's request for information.
CETELEM reported that it deleted the claimant’s account data from its database following the first claim but sold the debt to a third company in June 2023, and the claimant’s bank account number continued to erroneously appear in the contract.
According to CETELEM, the responsibility for this new incident would lie with the new company; however, it assumed the efforts to resolve the new series of improper charges on the claimant’s account. Finally, it concluded that the improper charges in 2022 and 2023 on the claimant’s account were due to human errors.

FOURTH: On December 29, 2023, in accordance with Article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing.

FIFTH: According to the report from the AXESOR tool, the entity BANCO CETELEM, S.A. is a company established in 1988 with a business volume of 64,855,216 euros in 2022.

LEGAL GROUNDS

I. Jurisdiction

According to the powers granted by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), to each supervisory authority, and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

Furthermore, Article 63.2 of the LOPDGDD states: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, subsidiarily, by the general rules on administrative procedures."

II. Obligation Breached

Initial Processing without Lawfulness - Article 6

Article 4.1 of the GDPR “Definitions” states:
“For the purposes of this Regulation:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Article 6 Lawfulness of Processing

Processing shall be lawful only if and to the extent that at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The first subparagraph of point (f) shall not apply to processing carried out by public authorities in the performance of their tasks.”
CETELEM has the bank account number of the claimant. Through this identification number, the account holder is an identifiable natural person, making this data personal data according to Article 4 of the GDPR. CETELEM acknowledges in several of its writings that the claimant's bank account number appears in a debtor's contract and, therefore, also in CETELEM's database. For this reason, the debtor’s receipts are charged to the claimant's bank account.

Although CETELEM seems to attribute the issue to initial transcription errors of the account number, the control digits of bank accounts almost eliminate the possibility of an "accidental" creation of a genuine account number.

This suggests, as the claimant indicates, that the error is due to CETELEM incorporating the claimant's bank account into the debtor’s contract without verifying the account’s ownership.

Given the above, it appears clear that CETELEM initially had the claimant's full bank account number, but it does not satisfactorily explain how this information appeared in a CETELEM client’s contract, given that the claimant has no prior contractual relationship with this entity.

Between July and September 2022, CETELEM improperly charged a series of 8 receipts to the claimant’s account no. ***ACCOUNT.1, at a rate of two receipts per month. On August 8, 2022, the claimant protested to CETELEM about the misuse of his bank account, requesting the deletion of his bank account data.

In September 2023, CETELEM charged a new receipt from the same debtor to the claimant’s account. The claimant filed a new claim with CETELEM on 09/21/23; however, CETELEM charged another new receipt on 10/02/23.

CETELEM had the claimant’s account number in its database and in the debt contract since 2022, and in 2023, the account number remained in the debtor’s contract without being corrected or deleted. CETELEM also transferred the claimant's account data to a third company in June 2023 with the sale of the debt.

Thus, CETELEM processed the claimant's personal information without lawful basis, given that there was no consent, legal, or contractual obligation to justify its processing. As a result of this processing, the claimant endured various charges for a debt in his account over several months in 2022 and 2023, for a debt held by another person.

III. Classification and Assessment of the Infraction

Based on the evidence currently available, and without prejudice to what may result from the instruction and according to the known facts, the claimant is identifiable through his bank account number, in which CETELEM charges a series of receipts.

The claimant is not the owner of the debts charged and has no prior contractual relationship with CETELEM. This means that CETELEM performs this processing without lawfulness, as it does not have the consent of the data subject.

The known facts could constitute an infraction, attributable to CETELEM, of Article 6 of the GDPR (Lawfulness of Processing), due to processing without a legitimate basis.

This infraction of the GDPR article is classified in Article 83.5.a) as follows:
“5. Infringements of the following provisions shall be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
a) the basic principles for processing, including conditions for consent pursuant to Articles 5, 6, 7, and 9;”

For the purposes of the statute of limitations for infractions, the imputed infraction prescribes in three years, in accordance with Article 72.1.b of the LOPDGDD, which qualifies the following conduct as very serious:
“b) The processing of personal data without any of the conditions of lawfulness of processing established in Article 6 of Regulation (EU) 2016/679.”

IV. Proposed Sanction

This infraction can be sanctioned with an administrative fine of up to 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Article 83.2 of the GDPR on general conditions for imposing administrative fines states that they will be imposed, depending on the circumstances of each individual case, additionally or alternatively to the measures contemplated in Article 58, section 2, letters a) to h) and j).

In the present case, it would be appropriate to apply section a) which states:
“a) the nature, gravity, and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of data subjects affected and the level of damage and harm they have suffered;”

The nature and scope of the processing affect the claimant's property rights as CETELEM charges his bank account.

Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, states the following in letter b):
“2. According to the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be considered:
b) The link between the infringer's activity and the processing of personal data.”

CETELEM is a banking entity, so it has a qualified link in the processing of personal data, especially concerning the accuracy of its processing.

In view of the foregoing, a fine of 100,000 EUR is proposed.

V. Breach of Right to Erasure - Article 17(1)(d) of the GDPR

Article 17 of the GDPR, relating to the right to erasure, states the following in section 1(d):

"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(…)
d) the personal data have been unlawfully processed;
(…)”

In September and October 2023, according to the bank receipts provided by the claimant, CETELEM made new charges to his account. CETELEM acknowledges its breach of the right to erasure requested by stating that the rectification and erasure of the claimant’s account took place only in the database, but not in the contract, which was the legal basis of the debt.

The obligation of the controller to proceed with the erasure of unlawfully processed data without undue delay is also reflected in Article 5.1(d) of the GDPR:

"1. Personal data shall be:
(…)
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(…)”

"2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

In light of the described facts, it seems clear that CETELEM limited itself to erasing the claimant’s data only from the database, but not from the contract. More than a year after the claim, CETELEM has not taken all reasonable steps for the erasure and rectification without delay of the claimant’s data.

VI. Classification and Assessment of the Infraction

Based on the available evidence at present and without prejudice to the outcome of the proceedings, it is considered that CETELEM did not effectively erase the claimant's account number in September and October 2023. According to CETELEM's own statement, it only erased the data in the database, but not in the contract underlying the improper charges, despite the exercise of the right to erasure without the data subject’s consent on August 8, 2022.

As a result of the improper processing, CETELEM again made unjustified charges to the claimant's account from another person.

The known facts could constitute an infraction, attributable to CETELEM, of Article 17.1(d) of the GDPR, relating to the right to erasure, which states:

"1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(…)
d) the personal data have been unlawfully processed;
(...)"

This infraction of the GDPR article is classified in Article 83.5(b) as follows:

"5. Infringements of the following provisions shall be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
b) the rights of the data subjects pursuant to Articles 12 to 22;"

For the purposes of the statute of limitations for infractions, since this is a specific failure to comply with the right to erasure, the imputed infraction prescribes in one year, in accordance with Article 74.1(c) of the LOPDGDD, which qualifies the following conduct as minor:
"c) Failure to respond to requests to exercise the rights established in Articles 15 to 22 of Regulation (EU) 2016/679, unless the provisions of Article 72.1.k) of this organic law apply."

VII. Proposed Sanction

This infraction can be sanctioned with an administrative fine of up to 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Article 83.2 of the GDPR on general conditions for imposing administrative fines states that they will be imposed, depending on the circumstances of each individual case, additionally or alternatively to the measures contemplated in Article 58, section 2, letters a) to h) and j).

In the present case, it would be appropriate to apply sections a) and b) which state:
“a) the nature, gravity, and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of data subjects affected and the level of damage and harm they have suffered;”

The effective erasure of the requested processing has exceeded the period of 1 year, which is considered an aggravating factor of responsibility. The failure to maintain data accuracy has forced the claimant to repeatedly request the erasure of his data, even leading him to file a police report for fraud.

“b) the intentionality or negligence of the infringement.”

The erasure of the claimant’s account number only in the database, but not in the contract, indicates negligent behavior by CETELEM.

Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, states the following in letter b):
“2. According to the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be considered:
b) The link between the infringer's activity and the processing of personal data.”

CETELEM is a banking entity, so it has a qualified link in the processing of personal data, especially concerning the accuracy of its processing.

In view of the foregoing, a fine of 50,000 EUR is proposed.

VIII. Obligation Breached

Second Unlawful Processing - Article 6

Article 4.2 of the GDPR "Definitions" states:
"For the purposes of this Regulation:
2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;"

In September and October 2023, two new charges were made to the claimant's account for the same debtor, indicating that CETELEM had not erased the claimant's data. CETELEM informed the AEAT in previous actions that it sold the debt to a third company along with the contract containing the erroneous claimant's data. CETELEM claims that as a result of the debt sale, the responsibility for data accuracy now lies with the new company and that it nonetheless has taken steps to resolve the new incident of improper charges to the claimant's account.

By transferring the claimant's account number to a third party, CETELEM engaged in a new data processing operation ("disclosure by transmission," Article 4.2 of the GDPR), for which it is necessary to comply again with the lawfulness conditions set out in Article 6 of the GDPR:

Processing shall be lawful only if at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
As of August 2022, CETELEM lacked the legal basis to process the claimant's account data; it did not have the data subject's consent, and the processing was not necessary for compliance with a legal or contractual obligation.

This information should never have been in CETELEM's possession, and its erasure was requested by the data subject. Since the previous year, CETELEM has been aware of the unlawfulness of this processing because the claimant had already exercised his right to erasure due to the unlawful processing of his bank account number.

CETELEM improperly retained the claimed information and, by selling the debt, engaged in a new processing activity by disclosing the claimant's account data to a third company without meeting the lawfulness conditions set out in Article 6.1(a) of the GDPR.

IX. Classification and Assessment of the Infraction

Based on the available evidence at present and without prejudice to the outcome of the proceedings, CETELEM acknowledges before the AEPD the transfer of the claimant's account number to a third company, which constitutes a new processing carried out with the express opposition of the data subject.

The known facts could constitute an infraction, attributable to CETELEM, of Article 6 of the GDPR (lawfulness of processing), for processing that involves the transfer of the data subject's information to third parties without the data subject's consent:

This infraction of the GDPR article is classified in Article 83.5.a) as follows:
"5. Infringements of the following provisions shall be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
a) the basic principles for processing, including conditions for consent pursuant to Articles 5, 6, 7, and 9;"

For the purposes of the statute of limitations for infractions, the imputed infraction prescribes in three years, in accordance with Article 72.1.b of the LOPDGDD, which qualifies the following conduct as very serious:
"b) The processing of personal data without any of the conditions of lawfulness of processing established in Article 6 of Regulation (EU) 2016/679."

X. Proposed Sanction

This infraction can be sanctioned with an administrative fine of up to 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Article 83.2 of the GDPR states that administrative fines will be imposed, depending on the circumstances of each individual case, additionally or alternatively to the measures contemplated in Article 58, section 2, letters a) to h) and j). Article 76 of the LOPDGDD, relating to sanctions and corrective measures, establishes that:
"1. The sanctions provided for in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the graduation criteria established in section 2 of the cited article.
2. According to the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be considered:
b) The link between the infringer's activity and the processing of personal data."

CETELEM is a banking entity, which means it has a qualified link in the processing of personal data, especially regarding the accuracy of its processing. This makes the acquisition of the claimant's bank account number, its retention despite the data subject's right to erasure, and finally its transfer to a third party without effective verification of the data's accuracy particularly serious.

In view of the foregoing, a fine of 100,000 EUR is proposed.

XI. Adoption of Measures

If the infraction is confirmed, it could be decided to impose on the controller the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with Article 58.2(d) of the GDPR, which states that each supervisory authority may “order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period...”. The imposition of this measure is compatible with the administrative fine sanction, as provided in Article 83.2 of the GDPR.

Therefore, it could be decided to adopt appropriate organizational measures to avoid future errors like the one in this case within 3 months, as well as to communicate the erasure of the data processing to the company to which CETELEM transferred the claimant's data, due to the sale of the debt.

It is warned that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution could be considered an administrative infraction under the GDPR, classified as an infraction in Articles 83.5 and 83.6, and such conduct could motivate the initiation of a subsequent administrative sanctioning procedure.

Therefore, in view of the foregoing, the Director of the Spanish Data Protection Agency agrees:

FIRST: TO INITIATE SANCTIONING PROCEDURE against BANCO CETELEM, S.A., with NIF A78650348, for two alleged infractions of Article 6 and one infraction of Article 17.1(d) of the GDPR, all of them classified in Article 83.5 of the GDPR.

SECOND: TO APPOINT B.B.B. as instructor and C.C.C. as secretary, indicating that they may be challenged, if applicable, in accordance with Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP).

THIRD: TO INCORPORATE into the sanctioning file, for evidentiary purposes, the complaint filed by the claimant and its documentation, as well as the documents obtained and generated by the Subdirectorate General of Data Inspection in the actions prior to the initiation of this sanctioning procedure.

FOURTH: FOR the purposes provided in Article 64.2(b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be two hundred and fifty thousand euros (€250,000), one hundred thousand euros (€100,000) for the initial infraction of Article 6, fifty thousand (€50,000) for the infraction of Article 17.1(d), and one hundred thousand euros (€100,000) for the second infraction of Article 6, without prejudice to the result of the instruction.

FIFTH: TO NOTIFY this agreement to BANCO CETELEM, S.A., with NIF A78650348, granting a hearing period of ten business days to make allegations and present evidence deemed appropriate. In the statement of allegations, the NIF and the file number in the heading of this document must be provided.

If within the stipulated period no allegations are made to this initiation agreement, it may be considered a proposed resolution, as provided in Article 64.2(f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).

In accordance with Article 85 of the LPACAP, responsibility may be acknowledged within the period granted for making allegations to this initiation agreement; this will entail a 20% reduction in the sanction to be imposed in this procedure. With the application of this reduction, the sanction would be set at two hundred thousand euros (€200,000), resolving the procedure with the imposition of this sanction.

Similarly, at any time before the resolution of this procedure, voluntary payment of the proposed sanction may be made, which will entail a 20% reduction of its amount. With the application of this reduction, the sanction would be set at two hundred thousand euros (€200,000) and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures.

The reduction for voluntary payment of the sanction is cumulative to that applicable for acknowledgment of responsibility, provided that this acknowledgment of responsibility is expressed within the period granted for making allegations to the initiation of the procedure. Voluntary payment of the referred amount of two hundred thousand euros (€200,000), or one hundred and fifty thousand euros (€150,000) if both reductions are applied, must be made into the account IBAN: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXX) opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure listed in the heading of this document and the reason for the reduction being applied.

Additionally, proof of payment must be sent to the Subdirectorate General of Inspection to continue the procedure in accordance with the amount paid.

The procedure will have a maximum duration of twelve months from the date of the initiation agreement. If this period elapses without a resolution being issued and notified, the procedure will expire, resulting in the archiving of actions; in accordance with Article 64 of the LOPDGDD.

Finally, it is noted that in accordance with Article 112.1 of the LPACAP, no administrative appeal is possible against this act.

Mar España Martí
Director of the Spanish Data Protection Agency

>>

SECOND: On May 31, 2024, the claimed party proceeded to pay the sanction in the amount of 150,000 euros using the two reductions provided in the previously transcribed initiation agreement, which implies the acknowledgment of responsibility.

THIRD: The payment made, within the period granted to submit allegations to the initiation of the procedure, entails the waiver of any action or appeal in administrative proceedings against the sanction and the acknowledgment of responsibility in relation to the facts referred to in the Initiation Agreement.

FOURTH: In the previously transcribed Initiation Agreement, it was stated that, if the infraction is confirmed, it could be decided to impose on the controller the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with Article 58.2(d) of the GDPR, which states that each supervisory authority may “order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period...”.

Having acknowledged responsibility for the infraction, it is appropriate to impose the measures included in the Initiation Agreement.

LEGAL GROUNDS

I. Jurisdiction

According to the powers granted by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), to each supervisory authority, and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

Furthermore, Article 63.2 of the LOPDGDD states: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, subsidiarily, by the general rules on administrative procedures."

II. Termination of the Procedure

Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination in sanctioning procedures," provides the following:

“1. Once a sanctioning procedure has been initiated, if the offender acknowledges their responsibility, the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary or when both a pecuniary and a non-pecuniary sanction can be imposed but the latter is deemed inappropriate, voluntary payment by the alleged offender at any time prior to the resolution will result in the termination of the procedure, except in relation to the restoration of the altered situation or the determination of compensation for damages caused by the commission of the infraction.
3. In both cases, when the sanction is solely pecuniary, the competent body to resolve the procedure will apply reductions of at least 20% on the proposed sanction amount, which can be cumulative. These reductions must be determined in the initiation notification of the procedure, and their effectiveness will be conditional on the waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this section may be increased by regulation.”

In accordance with the aforementioned,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO DECLARE the termination of procedure EXP202317282, in accordance with Article 85 of the LPACAP.

SECOND: TO ORDER BANCO CETELEM, S.A. to, within 3 months from the date this resolution becomes final and enforceable, notify the Agency of the adoption of the measures described in the legal grounds of the Initiation Agreement transcribed in this resolution.

THIRD: TO NOTIFY this resolution to BANCO CETELEM, S.A.

In accordance with Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative process as stipulated in Article 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the interested parties may file a contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and Section 5 of the Fourth Additional Provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, as provided in Article 46.1 of the aforementioned Law.

Mar España Martí
Director of the Spanish Data Protection Agency