AEPD (Spain) - EXP202302929: Difference between revisions

From GDPRhub
mNo edit summary
 
Line 67: Line 67:
}}
}}


The DPA fined a controller €180,000 because it lacked a legal basis to process data based on a contested loan application and failed to erase the disputed debt from the data subject's financial records.
The DPA fined a controller €180,000 because it lacked a legal basis to transfer data concerning a contested debt to a central solvency register and failed to erase the debt from the data subject's financial records.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In September and December 2022, a data subject requested that ID FINANCE SPAIN, S.A.U. (the controller), a financial technology company that provides loans, delete their personal data from its credit information systems. The data subject stated that it had never applied for a loan from the controller and attached a police report to its request. The controller only responded to the latter request, when it refused to delete the data on the basis that the data subject had an unpaid debt and, ignoring the attached police report, stated that a police report was required for all deletion requests.  
In September and December 2022, a data subject requested that ID Finance Spain, S.A.U. (the controller), a financial technology company that provides loans, delete their personal data from its credit information systems. The data subject stated that it had never applied for a loan from the controller and attached a police report to its request to demonstrate that they had reported  the alleged fraud to the police. The controller only responded to the latter request, when it refused to delete the data on the basis that the data subject had an unpaid debt and, ignoring the attached police report, stated that a police report was required for all deletion requests.  


On 23 January 2023, a data subject filed a complaint with the Spanish DPA (AEPD), seeking deletion of their data. The complaint also argued that the controller improperly transmitted their data to the national association of credit financiers ASNEF-EQUIFAX’s solvency files.  
On 23 January 2023, a data subject filed a complaint with the Spanish DPA (AEPD), seeking deletion of their data. The complaint also argued that the controller unlawfully transmitted their data to the national association of credit financiers ASNEF-EQUIFAX’s solvency files.  


The controller argued that its processing was based on consent and produced a contract and debt certificate. Neither document was signed by the data subject. In addition to the unsigned contract, the controller claimed that it verified the identity of the loan applicant based on:  
The controller argued that its processing was based on consent and produced a contract and debt certificate. Neither document was signed by the data subject. In addition to the unsigned contract, the controller claimed that it verified the identity of the loan applicant based on:  

Latest revision as of 14:49, 23 July 2024

AEPD - EXP202302929
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 17 GDPR
Article 37(7) GDPR
Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas
Type: Complaint
Outcome: Upheld
Started: 23.01.2023
Decided: 12.07.2024
Published:
Fine: 180,000 EUR
Parties: ID Finance
National Case Number/Name: EXP202302929
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA fined a controller €180,000 because it lacked a legal basis to transfer data concerning a contested debt to a central solvency register and failed to erase the debt from the data subject's financial records.

English Summary

Facts

In September and December 2022, a data subject requested that ID Finance Spain, S.A.U. (the controller), a financial technology company that provides loans, delete their personal data from its credit information systems. The data subject stated that it had never applied for a loan from the controller and attached a police report to its request to demonstrate that they had reported the alleged fraud to the police. The controller only responded to the latter request, when it refused to delete the data on the basis that the data subject had an unpaid debt and, ignoring the attached police report, stated that a police report was required for all deletion requests.

On 23 January 2023, a data subject filed a complaint with the Spanish DPA (AEPD), seeking deletion of their data. The complaint also argued that the controller unlawfully transmitted their data to the national association of credit financiers ASNEF-EQUIFAX’s solvency files.

The controller argued that its processing was based on consent and produced a contract and debt certificate. Neither document was signed by the data subject. In addition to the unsigned contract, the controller claimed that it verified the identity of the loan applicant based on:

  • SMS messages with the phone number listed by the applicant. The AEPD’s investigation revealed that the phone number provided in the loan application did not belong to the data subject.
  • Responses from an IP address. The AEPD noted that the controller did not verify whether or not the IP address belonged to the data subject.
  • A certificate of bank title. The AEPD’s investigation revealed that the bank account listed in the loan application did not belong to the data subject.
  • Verification of the loan applicant’s name and national identification number. The controller serviced DEYDE Calidad de Datos, S.L., a processor which cross-referenced the name and national ID provided in the application against the State Agency of Tax Administration’s census. This process verified that the name and ID provided in the application was consistent with the Tax Administration’s registry. However, this process did not verify the identity of the applicant.

The controller also noted that in response to the December 2022 deletion request, it suspended its transfer of the data subject’s information to ASNEF-EQIFAX in accordance with the controller’s internal policy, which states that when a police report is received for identity theft, personal data will be removed from ASNEF-EQUIFAX. However, in April 2023, the controller again transferred the data subject’s information to the credit bureau.

Holding

The AEPD found that the controller lacked a legal basis, failed to provide a deletion request and lacked a data protection officer (DPO), infringing Articles 6, 17 and 37(7) GDPR. The controller was fined €180,000.

The data subject did not apply for a loan with the controller. As a result, it did not provide consent for the processing of its data in connection with this loan and a legal basis under Article 6(1) GDPR does not exist. The AEPD rejected the controller’s defense that it did not submit the data subject’s information to ASNEF-EQUIFAX upon receiving the data subject’s police report because it included them again in April 2023.

The AEPD found that the controller repeatedly infringed the data subject’s right to deletion under Article 17 GDPR. It rejected the controller’s argument that the data subject’s erasure request in September 2022 was not responded to due to an involuntary internal error. Indeed, in response to the data subject’ second erasure request in December 2022, which attached the police report, the controller rejected the request and ignored the attachment. Furthermore, the controller continued to include the data subject’s data in ASNEF-EQUIFAX’s creditworthiness file.

Finally, the AEPD noted that in response to its request for a report of the actions carried out by the DPO, the controller failed to demonstrate that it had appointed a DPO or to communicate it to the AEPD within the requisite time. The controller thus infringed Article 37(7) GDPR as well as Article 34(1)(f) LOPDGDD.

The AEPD recommended a sanction of €225,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 20%, paying a fine of €180,000.

Comment

This case bears similarity to one resolved by the AEPD in May 2024. In EXP202313713, the AEPD sanctioned the same controller €56,000 when it failed to remove a contested debt from a data subject's financial records. As in this case, the controller argued that it had deleted the data subject’s data from the ASNEF file as requested, but that a technical error had occurred which caused the personal data to be re-uploaded on ASNEF.

In both cases, the AEPD found that the controller lacked a legal basis to process the data subject's information.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/42











File No.: EXP202302929

       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                    VOLUNTEER


From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                  BACKGROUND


FIRST: On April 19, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against IDFINANCE SPAIN,
S.A.U. (hereinafter the claimed part). Notified of the initiation agreement and after analyzing
the allegations presented, on June 3, 2024, the proposal for

resolution transcribed below:

<<



File No.: EXP202302929


       PROPOSED RESOLUTION OF SANCTIONING PROCEDURE


From the procedure instructed by the Spanish Data Protection Agency and based
to the following:

                                  BACKGROUND


FIRST: On January 23, 2023, A.A.A. (hereinafter, the complaining party)
filed a claim with the Spanish Data Protection Agency.

The claim is directed against IDFINANCE SPAIN, S.A.U. with NIF A66487190 (in
forward, the claimed part).


The reasons on which the claim is based are the following:

The complaining party, through its FACUA representative, presents a claim to
this Agency due to the refusal of the claimed party to delete their personal data from

common credit information systems.

He indicates that, on December 1, 2022, he requested deletion of his data
personal information to the claimed party, providing a copy of the police report

presented on May 18, 2020.

Receives a response from the claimed party informing that the deletion is not appropriate since there is
a debt pending payment.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/42









Along with your claim, you provide a copy of the deletion request submitted by the
claimant (in his own name) together with the police report sent to the party

claimed and response of December 22, 2022 in which they inform you that no
the deletion proceeds because there is an unpaid loan and in which the
police report that the claimant already provides in her request for deletion.

The complaining party also presents:


     Authorization to FACUA for representation.

     FACUA member certificate of the complaining party.


     Copies of ID of the claimant and the secretary of FACUA Córdoba.

     Complaint of May 18, 2020 at the Córdoba-East Police Station of the
       National Police in which the claimant party declares: having received in his

       mailbox, two days before, a letter from the claimed party claiming a debt
       for a loan; not recognizing the debt; not having made any
       contracting with the aforementioned company.

     Letter from FACUA, acting on behalf of the complaining party, dated December 20

       September 2022, addressed to the claimed party, ***EMAIL.1, ***EMAIL.2 and
       ***EMAIL.3, with subject “***SUBJECT.1” in which it requests the claimed party
       the sending of information related to the formalization of the contract and its
       acceptance, and if they do not have it, they proceed to file the
       the claim of the debt and the cancellation of the data of the party

       claimant.

     Email from FACUA, acting on behalf of the party
       complainant, sent on September 21, 2022 to ***EMAIL.1, ***EMAIL.2 and
       ***EMAIL.3, indicating that it attaches the claim of its client. Attach

       A 1.5 MB file called “***FILE.1” is sent to the email.

     Letter from the complaining party, dated December 1, 2022, addressed to the
       claimed party and to the emails ***EMAIL.1, ***EMAIL.2 and
       ***EMAIL.3, in which it states that it has no relationship with the claimed party and

       who has been bothered by it for two years, who filed
       complaint to the police on May 20, 2020, which he has claimed through
       FACUA requesting documentation of the alleged contract but has not received
       response to it, and for which you request the deletion of your data
       personnel, the filing of any collection management file and the

       communication of the deletion of your data to other persons responsible for
       treatment.

     Email from the complaining party on December 1, 2022 at
       12:18, in which he forwards to FACUA an email sent at 11:17 to ***EMAIL.1

       requesting that your right to deletion be addressed.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/42








     Email from the complaining party to FACUA on December 1, 2022
       at 12:43, in which it forwards the emails sent at 11:42 to ***EMAIL.3 and
       at 11:17 to ***EMAIL.1 with a 3.0 MB attachment “***FILE.2”


     Email from the complaining party on December 23, 2022, in the
       which forwards to FACUA a response email from ***EMAIL.1, dated 22
       December, and in which the claimed party answers the sent in turn on December 1
       December at 11:17 by the complaining party (identical to the one forwarded in the Party

       5 above). In the response, the DPO of the claimed party informs the
       complaining party not being able to exercise its right of deletion due to the existence
       of an outstanding debt, and indicates that if there are suspicions of having
       been a victim of identity theft, you must send them a copy
       complaint filed with the police.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on March 13, 2023, it was transferred to IDFINANCE SPAIN
to proceed with its analysis and report to this Agency within a period of one month,

of the actions carried out to adapt to the requirements provided for in the
data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on March 23, 2023 as

It appears in the acknowledgment of receipt that is in the file.

On April 23, 2023, this Agency received a response letter,
indicating that the personal data was obtained directly from the claimant in
the moment the loan was formalized through the entity's website using

As a method for their identification at the time of contracting, a system of
Enhanced identity verification through provider "DEYDE Quality of
Data, S.L." (hereinafter, "DEYDE") through which the system, when it receives a
request, automatically sends DEYDE the name and surname and ID number.

In this way, DEYDE checks the database of the State Agency for

Tax Administration (AEAT) that these data actually coincide with the
information they have in the aforementioned database.

In this case, the verification by DEYDE verified the coincidence between the information
provided to IDFINANCE and that which is known to the AEAT, for which IDFINANCE considered

This verification is valid on 03/09/2020 (12:09:46).

Along with your response, you also provide the following documents:

  ASNEF MANAGEMENT PROCEDURE
  CONTRACT, CERTIFICATE AND AMORTIZATION TABLE

  LOAN APPLICATION PROCEDURE

THIRD: On April 23, 2023, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/42









FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out

of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the

LOPDGDD, information is requested from:
  THE GENERAL DIRECTORATE OF THE POLICE

  DEYDE DATA QUALITY S.L
  BANCO BILBAO VIZCAYAARGENTARIA, S.A.
  XFERA MÓVILES S.A.
  ASNEF-EQUIFAX, SOLVENCY AND CREDIT INFORMATION SERVICES, S.L.,

  IDFINANCE SPAIN, S.A.U.

These research actions allow us to verify the following points:

This claim provides, as data of the claimant, “MONEYMAN (ID

FINANCE SPAIN).

The complained party is responsible for the website ***URL.1.

ACTIONS BEFORE THE GENERAL DIRECTORATE OF THE POLICE


On May 31, 2023, collaboration is requested from the GENERAL DIRECTORATE OF THE
POLICE, which on June 13 stated, through its Protection Delegate
of Data, the legal impossibility of sending the requested information.


When requesting from the claimed party the data subject to processing that appear in their
systems and origin of these, the claimed party states that:

“The categories of personal data that appear in our systems are the
following:


- Identification data: name, surname, National Identity Document, ID
Borrower (ID assigned to the requester by the system), IP's.
- Contact information: Address, telephone, email
- Personal circumstances: marital status, date of birth, family situation, sex.

- Employment data: hiring regime, employer and department.
- Economic and financial data: Income, bank IBAN.
- Data related to credit applications: amounts, interest rates to apply
If the credit is approved, repayment terms and, if applicable, amount of the
debt."


The list above does not mention that any image of the device is saved on their systems.
DNI of the complaining party.

By requesting you to provide the list of personal data that your system stores

when a new client registers and copies the data and images saved by the
application when the complaining party was registered, the complained party states:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/42









“We attach as ANNEX IX by certificate the list of the data that our
system stores when a new client registers, as well as a copy of the
themselves.”


The claimed party provides a document, in which it states:

“The data provided by our client on the last day ***DATE.2 when the
Mrs. A.A.A. requested a loan through our website, on which the
himself/herself ratified its veracity, are listed below;


Name: A.A.A.
First surname: A.A.A.
Second surname: A.A.A.
DNI/NIE: ***NIF.1
Date of birth: ***DATE.1

Address: ***ADDRESS.1
Telephone numbers where the owner has been contacted: +***PHONE.1,+***PHONE.2
Telephone numbers provided by the owner without contact with him/her: +***TELEPHONE.2
Email address: ***EMAIL.4”

The following data of interest is extracted from the request of this same client

in order to proceed with your claim;

Access IP address: ***IP.1
Loan application date: ***DATE.2
Requested amount: €000.0
Agreed return date: ***DATE.3

Amount due at the date of writing this document: €000.0
Sum amount of interest owed as of the date of writing of this
document: €000.0”

The claimed party does not indicate that it retains any certification of ownership
banking.


However, when requesting from the claimed party the accreditation of the means used to
identify the affected person at the time of contracting, the claimed party
states:

“On the date of application for the loan, IDFINANCE applied a system to the specific case

reinforced identity verification through the provider “DEYDE Quality of
Data, S.L.” (hereinafter, “DEYDE”) through which the system, when it receives a
request, automatically sends DEYDE the name and surname and ID number.
In this way, DEYDE checks the Tax Agency database
Spanish that these data actually coincide with the information they have in the

mentioned database. In this case, the verification by DEYDE verified the
coincidence between the information provided to IDFINANCE and that known to the
Spanish Tax Agency, so IDFINANCE considered said verification valid.

We attach as ANNEX IV the verification of the identity of the Claimant.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/42









The claimed party provides an image showing the registration date of the party
complainant in Moneyman (March 9, 2020) and mentions of “Deyde-Passport",

but no data appears that allows the information to be associated with the complaining party,
although the figure that appears in the last line “***DATE.2 12:25:14: Money sent;
payment order XXXXXXX; Unnax XXXXXXX”, also appears in the contract, page. 9,
and in the complaint.

The statements of DEYDE QUALIDAD DE DADOS S.L. about the contract

signed service with the claimed party with its addendum, and a copy of the same contract
subsequently provided by the claimed party as with its addendum, describe
the service provided as verification of the correspondence between a name and a
NIF in contrast to the AEAT census.


ACTIONS BEFORE DEYDE DATA QUALITY S.L.

DEYDE DATA QUALITY S.L. states:

“In no case does DEYDE offer or market MyDataQ_ID Validation as a
identity verification system, nor the functions it performs can be considered

included in this concept since they only receive a name and a document of
identity, without having access to other data that would allow validation of
any identity. That is, the purpose of said service is to verify that the user
It is registered with the Tax Agency.


Likewise, the product does not access any database of the Tax Agency,
It only provides a service included in its electronic headquarters.

This is expressly stated in the contract signed between DEYDE and ID FINANCE.


[…]
We understand that the A.A.A. data with NIF ***NIF.1 should have been sent more than
18 months, since we currently have no record of it even in our systems
production, which have data from the last 20 days, nor in the backup system that
contains information from the previous 18 months.


If we have been able to verify that, as of June 1, 2023, the service tells us that those
data are registered in the Tax Agency.”

That is, it states that, when contrasted with the AEAT census, there is
match between the name and the NIF provided.


By following the following link, you can consult more information about this service:

***URL.2.


The claimed party states that “The data was obtained directly from the
interested at the time the loan was formalized” and that provides “the contract
signed by the Claimant as ANNEX II” and the “current procedure for requesting
loan as ANNEX III”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/42









The claimed party states that the procedure followed to verify the
identity of the complaining party consisted of verifying the coincidence between

name and DNI/NIF number through the aforementioned Agency service
Tax and, as deduced and explained later, should have included a call
telephone and sending images of the DNI through a web page whose URL was
provided via SMS messages.

The procedure provided does not correspond to the previous statements, since

which includes verification by providing images of the DNI and photograph
“selfie” through an app of the complaining party, while in the SMS that the
claimed party states to have sent in the registration process, and that are analyzed
Later on, there is no mention of sending any “selfies”.


The claimed party has not stated that it processes images of the complaining party.

The document includes a contract along with a debt certificate issued by the
own part and an amortization table. However, this document does not contain
the electronic signature of the complaining party, nor does his handwritten signature appear on any
of its pages.


On page 1, the identity and contact information of the complaining party are detailed, and
mentions:

“The bank account provided by the owner for the entry of the loan amount

and of which he claims to be the owner and responsible is ***ACCOUNT.1”.

The requested party is requested to provide the information available to their company regarding the
relationship between the claiming party and the account into which the money of the
loan, and whether it was made before the deposit or has subsequently made any

account ownership verification procedure, and its result.

In its response, the claimed party states:

“The information that Moneyman had about the relationship between the claimant and the
account into which the money is deposited is based on the document, issued by the entity

BBVA (Banco Bilbao Vizcaya Argentaria, S.A.), provided by the same claimant in
the loan underwriting process. It indicates that the ownership of the
The account into which the deposit is made belongs to the claimant. We attach
document as ANNEX 1. Since the certificate provided was issued by BBVA
(with electronic signature at the bottom of the certificate) and the data obtained directly by

the claimant, these were considered accurate.”

A document is provided that appears to be a certification from the banking entity
attributing ownership of the account ***ACCOUNT.1 to the complaining party.


The document includes a logo and seal of the banking entity, but not the signature of the bank.
entity.

The certificate footer specifies the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/42









“This document has been generated in digital format and has been signed
electronically, which in accordance with Law 59/2003 on Electronic Signature allows:

Identify the signatory unequivocally, having the electronic signature with respect to
the data recorded has the same value as the handwritten signature when recorded in
paper.

Ensure the integrity of the signed document.


If you are viewing a printed copy of the certificate, you can check its
authenticity contrasting it with the digital version of the same, in which you can
check the signature in the signature panel.

(…).


Serial number: XXXXXXXXXXXXXX

Certification Date (GMT time): XXXXXXXXXX”

However, it has been verified that the document provided is not found

electronically signed; the information that appears in the footer does not
allows you to verify its authenticity.

ACTIONS BEFORE BANCO BILBAO VIZCAYA ARGENTARIA, S.A.


BANCO BILBAO VIZCAYA ARGENTARIA, S.A. states that the ownership of the
account ***ACCOUNT.1 corresponds to a person other than the complaining party.

The claimed party states:


 “We attach as ANNEX IV the verification of the identity of the Claimant,” and
provides the image [6]. In that image there is no data that allows us to associate the
information to the complaining party. You can only associate this image with the rest of the
documentation by the figure that appears at the bottom, 00000000, which also appears in the
contract and in the complaint.


When asked to provide the list of personal data that your system
stored when a new customer registers and copy of the data and images
saved by the application when the complaining party registered, the claimed party
states:


 “We attach as ANNEX IX by certificate the list of the data that our
system stores when a new client registers, as well as a copy of the
themselves.”

This document includes, among other personal data of the claimed party, the

numbering +***PHONE.2 (hereinafter, Numbering_1).

PROCEEDINGS BEFORE XFERA MÓVILES S.A.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/42








XFERA MÓVILES S.A. states that between March 3 and August 1, 2020 the
Numbering_1 corresponds to a person other than the complaining party. Person
The owner of the line does not match the owner of the bank account either.


When requesting proof, if applicable, of the SMS sent to the claimant for registration and
For the loan application, the claimed party states:

“We attach as ANNEX X the accreditation of the SMS sent to the claimant
for registration and loan application”


Said document contains a table that contains 14 SMS sending records on the 9th
March 2020 between 12:06 and 12:25 at Numbering_1.

As already mentioned, the complaining party was not the owner of Numbering_1, and

It has not been proven that the complaining party could read the messages sent to
Numbering_1.

The document tables are Excel tables with information, among other things, related to the
date and time, destination numbering and content of various SMS. This information has
has been provided by the claimed party, but has not been accredited by a third party.


The SMS in the table, dated March 9, 2020 between 09:12 and 12:25 follow
the following sequence:

    - “Your Moneyman.es confirmation code 8872”


    - “We have sent you the standardized consumer credit information and the
       terms and conditions of your loan. Please read them carefully.
       “Moneyman.”


    - “Last step to receive your money! Call XXXXXXXX now to finish.”

    - “MONEYMAN: pending sending DNI/NIE on both sides. Click on
       https://***URL.1/ to upload them. Thank you."

(This SMS appears nine consecutive times).


    - “Your money is on the way! We have already issued the payment order for the amount
       requested a loan of 200.00 euros.”

    - “We have sent you the standardized consumer credit information and the

       terms and conditions of your loan. Please read them carefully.
       “Moneyman.”

From the sequence it is deduced that during the registration process there must have been a
phone call, followed by sending images of the DNI on both sides, through

of the link ***URL.1.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/42








When asking about receiving an image of the party's identity document
claimant, the claimed party states that it received a photograph of the
identity during the registration process and provides the image.


It is concluded from the above that the identity verification carried out during the
User registration process with the data of the complaining party consisted of the
checking the match of your name, surname and identity document
with those included in the Tax Agency census, the sending of SMS messages to
Numbering_1, a telephone call, the acceptance of a certificate lacking the

electronic signature that the text itself stated in it cites to contain in its
electronic version of bank account ownership, and receipt of an image of the
DNI of the complaining party.

In relation to notifications sent by the claimed party, and consent

of the claimant for the processing of her personal data and for the registration of
the same in credit information systems, there has been knowledge of what
following:

The complaining party states that it never requested credit through the party
claimant and declares that “he does not recognize such debt since he has not made any

contracting with such company.”

When requesting from the claimed party documentation proving the origin of the debt
that motivated the inclusion of the personal data of the affected person in the systems
of credit information, the claimed party states that it provides a contract together

with a debt certificate issued by the claimed party itself and a table of
amortization. Neither does the document received contain the electronic signature of the party
claimant, nor does his handwritten signature appear on any of its pages.

When requesting again from the claimed party proof of the party's acceptance

claimant, of the debt, the contract and its clauses, the claimed party states:

“We attach as ANNEX II the certificate accrediting the acceptance of the
privacy policy and acceptance of the Terms and Conditions of the contract
loan on March 9, 2020.


We also attach as ANNEX III the communications sent on March 9
of 2020 in which the formalization of the loan by the
claimant.”

As ANNEX II, it provides a certificate issued by the claimed party itself.

acceptance of conditions from a certain IP address on March 9, 2020
at 12:09.

As ANNEX III provides the table that contains 14 records of sending SMS on the 9th of
March 2020 between 12:06 and 12:25 at Numbering_1. As has already been

mentioned above, the complaining party was not the owner of Numbering_1, and was not
It has been proven that the complaining party could read the messages sent to
Numbering_1.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/42








The complaining party also declares that on May 16, 2020 “he received in his mailbox
a notification from the claimed company […] in which it is required to non-pay
312.80 euros. The loan contract number 0000000 appears as a reference.


By requesting a copy of the aforementioned notification from the claimed party, it states that it does not
have proof of that shipment, and provides, as proof of receipt of the
notifications of demand for payment to the claimed party, the table referring to two
SMS sent on May 14 and 17, 2020 to Number_1.


The table is similar to the tables mentioned above and as already mentioned
Previously, the complaining party was not the owner of Numbering_1.

Furthermore, the document provided by the claimed party includes the conditions
general contracting; Article “18.- Notifications” thereof indicates:


“The notifications between the parties that must be made as a consequence of what
provided for in these General Conditions or the Loan contract.
They will be made in writing and will be valid if they are made by certified mail with return receipt.
receipt, or e-mail at the addresses mentioned below for each of the
Parts:


Borrower: the one indicated in the Loan application […]”

Therefore, although it has been proven that the complaining party received a
notification at his address, the claimed party states that this was made through

of SMS to Numbering_1, and has not proven that it was carried out in accordance
with the general conditions, which according to their statements were accepted by
both parties.

The claimed party also states:


“We attach as ANNEX XI the certificate issued by the company in which
proves that the claimant accepted the processing of her personal data by
“IDFINANCE SPAIN, S.A.U.”

As ANNEX XI, it provides a certification from the claimed party itself.


The complaining party states that it has been improperly included in the
ASNEF EQUIFAX equity solvency file.

By asking the claimed party for information in the contract about the

possibility of inclusion in credit information systems, it states:

“The possibility of inclusion in the event of non-payment in the information systems
credit is reported in clause 16.1 a) of the GCC the contract attached to the
ANNEX II and point 3 of the European Standardized Information Form on

consumer credit (pre-contractual information) and which is found at the end of the
attached contract.”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/42








As ANNEX II, the contract provides where in article “16.- Data protection of
personal character” (p. 6) indicates:


“16.1. With the consent of the Loan Applicant, regardless of the
Loan Decision, the Borrower declares himself informed, consents and authorizes
expressly to the Lender:

(a) To obtain information regarding your credit history and risk positions
of entities providing information services on financial solvency and

credit […].

The Borrower is informed that, in the event of non-payment within the term provided for
this, and having complied with the necessary legal requirements and communications
relevant, your Personal Data may be communicated to the Credit Service of

Asnef-Equifax, with address at C/ Albasanz, 16, 28037, Madrid.”

On the other hand, on page 4, it is indicated that article 13.3 indicates:

“If within thirty (30) days from the expiration of the acquired debt, it is not
would have been satisfied by the Borrower, having been previously notified to him,

The Lender will have the right to communicate the Borrower's data to files of
information on financial solvency and credit, in all cases meeting the
requirements for the inclusion of data.”

When requesting information about the procedure for including your clients in systems

of credit information, the claimed party states:

"4. Collections

Once the loan expires without payment occurring, the system changes the

Loan status (Loan ID) has expired (“Expired”) and the procedure begins
automatic notification and “Collection”.

The system sends automated SMSs and Emails notifying that the
payment of the expired debt and indicating payment facilities.


Notifications of inclusion in credit information systems due to non-payment of
debt, are not sent until the 30th (DPD30) or 45th (DPD45) day, from the date of
expiration.

It is attached as ANNEX IV with the automatic Collections procedure and the

messages that are sent.”

The party claimed in ANNEX IV provides a document that contains a description
of the variables, requirements and notifications to be sent, related to the
notifications, “Collections”, used to send non-payment notifications to your

customers, by email and SMS, automatically.

The claimed party also states:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/42








 “In accordance with the request, we attach as ANNEX V the notification made
by SMS to the claimant of the expiration of her debt and its imminent inclusion
in credit information systems” and provides as ANNEX V the table with

information about two SMS sent to Numbering_1 on May 14 and 17,
2020.

As previously mentioned, the claimed party has not proven that the
complaining party could read the SMS sent to Number_1. Furthermore, shipping
SMS is not considered a means of communication.


The claimed party states:

“On January 23, 2023, mail was received from FACUA Córdoba, as indicated
in the response dated March 23, 2023 to the first request received from

the AEPD, in which we are informed of the complaint to the police for impersonation of
identity presented by the claimant.

It is at that moment when this entity becomes aware of the complaint
presented and proceeds to apply the measures established for cases of fraud (1st-
blocking the claimant's data in our systems, 2nd paralyzing the

debt claim (keeping the data locked and limited in the
treatment given that they may be required by the competent authorities for the
investigation of the facts.) and 3rd, delete the claimant's data from the
assets solvency files).


This is indicated to FACUA in the response email to its request for
information, which is attached as ANNEX 4.

From that moment on, the data has been maintained until the clarification of the
made by the police.”


As ANNEX 4 provides the document signed on February 6, 2023, in which
responds to the complaining party:

“That, taking into account the content of the Claim and the documentation
contributed, ID FINANCE SPAIN has proceeded:


1) to the blocking of the claimant's data in our system as well as

2) to paralyze the debt claim. Data is blocked and limited in
the treatment given that may be required by the competent authorities to

the investigation of the facts.

3) The data of Ms. A.A.A. has been deleted. of the solvency file
patrimonial (ASNEF EQUIFAX)”


ACTIONS BEFORE ASNEF-EQUIFAX INFORMATION SERVICES ABOUT
SOLVENCY AND CREDIT, S.L.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/42








On the other hand, ASNEF-EQUIFAX, INFORMATION SERVICES ON
SOLVENCIA Y CRÉDITO, S.L., provides the registrations of the complaining party
in its records following the request of the claimed party, with registration and cancellation dates:


    - May 29, 2020 (high) and June 8, 2020 (low).
    - July 10, 2020 (registered) and January 30, 2023 (registered).
    - April 15, 2023 (high) and April 16, 2023 (low).

It also sends the registration notifications to the complaining party, for

ordinary postal mail to the address of the complaining party, dated May 29,
2020, July 10, 2020 and April 15, 2023.

It is proven that the defendant kept the claimant registered in
credit information systems during the three periods mentioned above, the

last of which is after February 6, 2023, the date of your response to the
complaining party, in which it communicates the blocking of its data.

ACTIONS BEFORE IDFINANCE
In relation to the actions adopted by IDFINANCE in response to the requests of the
complaining party related to their rights regarding the processing of their data

personal:

The complaining party requested that the defendant pay attention to its right to erasure.
of your personal data and the elimination of the same from the solvency files
patrimonial, on September 21, 2022, through its legal representative

FACUA, sending the letter to three email addresses of the party
claimed (***EMAIL.1, ***EMAIL.2 and ***EMAIL.3).

This request received no response nor was it attended to.


The claimed party has not communicated the Spanish Data Protection Agency, to
date of preparation of this report, identification data of your Delegate of
Data Protection.

By requesting the claimed party to “provide a report or summary of the actions
carried out by the Data Protection Officer of your company regarding the

request, by the claimant, for the deletion of her personal data”, the party
claimed makes different statements:

“In relation to the actions carried out by the Delegate for the protection of
Data regarding the deletion of the claimant's personal data, the

in accordance with the internal procedure for the management of rights of the
interested.”

In response to the request for information on the reason for not responding to the
email from the legal representative of the complaining party, the defendant states:


“[…] due to personnel changes in Moneyman's Legal department, the email
sent by FACUA on September 21, 2022, the mailbox where said email arrived


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/42








was left without management, without the staff who replaced the person responsible for said mailbox
knew about the message without responding.”


It is proven that the claimed party did not adequately respond to the request for
deletion of data of the complaining party, since he did not respond to the email
sent by FACUA as its legal representative on September 21,
2022.

The complaining party again requested that the defendant pay attention to its right to

deletion of your personal data and the elimination of the same from the files of
patrimonial solvency, on December 1, 2022, sending the letter to two
email addresses of the claimed party (***EMAIL.1 and ***EMAIL.3).

The claimed party also states that “it proceeded in accordance with the

internal procedure for the management of the rights of interested parties”, and provides
document, in which, among others, establishes a period of one month for the deletion or
communication against the affected person, the need to immediately communicate the
requests to the DPD, who must check if you meet some requirements (name and
surnames, if you provide a photocopy of your ID or similar, if you express your request, address, date),
and that the DPD must request their correction where appropriate.


When requesting more information about attention to the rights of the complaining party, the
claimed manifest:

“On December 22, 2022, the exercise of rights presented was responded to

by the claimant on December 1, 2022, as can be seen in the
document attached as ANNEX 3.”

As ANNEX 3 provides the email sent on December 22
from ***EMAIL.1 to ***EMAIL.4, in response to the complaining party, in which

indicates that:

“you cannot proceed to delete your personal data in our database
for having an unpaid loan” and that “if you suspect that you may have been a victim of
identity theft, we recommend that you report the facts to the
police and send us the complaint so that we can take the appropriate measures.”


Likewise, it points out the following:

“On January 23, 2023, mail was received from FACUA Córdoba, as indicated
in the response dated March 23, 2023 to the first request received from

the AEPD, in which we are informed of the complaint to the police for impersonation of
identity presented by the claimant.

It is at that moment when this entity becomes aware of the complaint
presented and proceeds to apply the measures established for cases of fraud (1st-

blocking the claimant's data in our systems, 2nd paralyzing the
debt claim (keeping the data locked and limited in the
treatment given that they may be required by the competent authorities for the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/42








investigation of the facts.) and 3rd, delete the claimant's data from the
assets solvency files).


This is indicated to FACUA in the response email to its request for
information, which is attached as ANNEX 4.”

As ANNEX 4 provides email signed on February 6, 2023 in the
which, as has already been explained in the previous section, communicates to the complaining party
that takes care of your rights.


However, as already established, the claimed party re-registered the
complaining party in ASNEF-EQUIFAX between April 15 and 16, 2023.

FOURTH: According to the report collected from the AXESOR tool, the entity

ID FINANCE SPAIN, S.A.U. is a large company established in 2015, whose
corporate purpose is the granting of non-mortgage loans or credits to any
person, with a number of employees of 146 people, and a turnover of
€178,771,000 in 2022.

FIFTH: On April 19, 2024, the Director of the Spanish Agency for

Data Protection agreed to initiate sanctioning proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP), for the alleged violation of Article 17 of the RGPD, Article 6 of the
GDPR and Article 37 of the GDPR, typified in Article 83.4.a) of the GDPR, Article

83.5.b) of the RGPD and Article 83.5.a) of the RGPD.

SIXTH: The aforementioned initiation agreement has been notified in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), the claimed party presented two

allegations, a first in relation to the aggravating circumstance of the possible violation of the
right to deletion of data and a second on the classification and classification of
the alleged violation of article 6 of the GDPR.

In relation to his first allegation, he has stated the following:


“As for the aggravating factor of negligence in data processing, the AEPD
considers that it is applicable since, “(…) despite the fact that in response
provided on February 6, 2023, it indicates that the request for

the claimant, the inclusion again at a later time in the file of
financial solvency seems to prove that this was not the case.”


However, this part considers that it is not applicable since, in no case
moment, ID Finance notified the Claimant of the deletion of her data, but the
blocking them in the ID Finance system; paralyze the claim of the

debt; and delete the data from the asset solvency file, but in no case
the definitive deletion of the data is communicated (page 346 of the complete file
facilitated by the AEPD).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/42









This is because in this case, data deletion cannot be carried out.

definitive as the police investigation remains open, in which they can request
information to ID Finance, and the existence of a crime of
identity fraud.



Therefore, ID Finance considers that the application of this aggravating circumstance has no place.


Furthermore, the AEPD also justifies the fact that the data was
communicated again to ASNEF-EQUIFAX at a later time, indicating that they did not
The request was correctly attended to, but this is not true, since the day after

said communication of the data to ASNEF-EQUIFAX, were deregistered again, with
which, no right of the Claimant has been violated. What's more, these data
They were never published since in accordance with art. 20.1.c of the LOPGDD,

30 days must pass before publishing them.


Likewise, in the claim made by the Claimant, it does not reveal

at no time this circumstance, so this party considers that, if
Well, there was a computer failure as has been alleged in previous writings.
submitted to the AEPD, is not the subject of this claim.



Thus, while it is true that ID Finance erred in not realizing that the Claimant
had provided a copy of the complaint in its request of December 1, 2022, the

ID Finance worker who responded to the request responded within the deadline,
arguing the reasons for the denial of the right, providing a direct link
to the AEPD website, informing of the right to make the claim that

deemed appropriate and proposing that if he considered that there was a
identity theft, you will file a complaint in order to delete your data (page.

351 and 352 of the complete AEPD file). When on January 23, 2023
receives a copy of the complaint, ID Finance proceeds to remove it from ASNEF-EQUIFAX
on January 30, 2023 and communicate it to the Claimant on February 6,

2023, which was the goal pursued by the Claimant, all within the period of one
month established by the GDPR.



All of this accredits the transparency and good faith of ID Finance, actions totally
contrary to those of obstruction of people's data protection rights.




On the other hand, since this claim affects only one person, this party
considers that the aggravating circumstance of the article cannot be taken into consideration either
76.2 b) LOPDGDD regarding the linking of the offender's activity with the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/42








processing of personal data, as has been alleged in the
previous allegations presented, since the processing of data subject to

alleged identity theft is not the main data processing of the
ID Finance activity.”



In its second allegation, the defendant states the following:

“In relation to the classification and classification of the alleged violation of article 6 of the

RGPD, according to the information that this party has been able to access after the
complete review of the file, the AEPD requested the General Directorate of the Police
(hereinafter, the “Police”) information on the “Diligencies and/or investigations

carried out to clarify the facts reported by A.A.A., with
DNI ***NIF.1. According to our knowledge, he filed a complaint with the
CÓRDOBA ESTE on 05/18/2020 before instructor 115476 (attestation number

6224/20)” (page 106 of the complete file provided by the AEPD), in order to
assess the legality of the processing of the Claimant's data according to art. 6 of the
GDPR.




Thus, it is proven that the Police do not provide any information about the
investigation that is being carried out on their part. Despite this, the AEPD, in the

present sanctioning procedure, assumes that the Claimant actually
has been a victim of identity theft with the complaint submitted, which does not
can be presupposed when said assessment corresponds to the police and, in any case, to

a judge.



It should be taken into account that the filing of a police report does not imply the

veracity of the information, not even the demonstration of the alleged crime. No
However, ID Finance's internal policy, as a precaution and as a measure

precautionary measure, establishes that when a police report is received for alleged
identity theft, personal data from ASNEF-EQUIFAX is deleted.



On the other hand, regarding the verification of the owner of the telephone number provided and

bank account, the AEPD cannot deny that if ID Finance had requested this
information to the corresponding companies, in this case, XFERA MÓVILES,

S.A.U. and BANCO BILBAO VIZCAYA ARGENTARIA, S.A. (“BBVA”) these under no
concept would have provided the information based, prudently, on the
data protection regulations and indicating that said information should

be requested from the Court, in any case, specifying the legal framework and the need to
its valuation, which is excessive and disproportionate for ID Finance.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/42










Therefore, we consider that before resolving this procedure and confirming

the violation of art. 6 of the RGPD by ID Finance and, given that the AEPD
has at its disposal the identification data of the owners of the telephone line and
BBVA bank account, the aforementioned Authority should contact said

people to request information in this regard for the purposes of confirming the
existence of the possible illegality of the treatment. Therefore, with the information
available to date by the AEPD without having contacted the people

detailed in the file after the letter made to the entities BBVA and XFERA
MÓVILES, S.A.U., this party considers that the impersonation of
identity of the claimant, and therefore the illegality of the treatment by ID

FINANCE and its corresponding sanction proposal.



In accordance with the above, the details of the people are detailed below

informed and that appear in the file for the purposes that the AEPD can
complete the appropriate investigations to clarify if you are facing a treatment

of illicit data, that is, confirming the link between the owner of the telephone line, the
bank account holder and the Claimant:



- Data of the owner of the telephone line provided to the AEPD by XFERA

MÓVILES, S.A.U. on August 10, 2023 (pages 326 and 327 of the complete file
of the AEPD):


      o NAME: B.B.B.
      o DOC TYPE: DNI o DOC NUMBER: 00000000


 - Details of the owner of the bank account ES00 0000 0000 0000 0000 0000 of the
  BBVA provided to the AEPD by BBVA on September 7, 2023 (page 358 of the
  complete AEPD file).


      o Owner: C.C.C. o Identification document: 00000000 o Current postal address
      working in systems: Street ***ADDRESS.2.

      o Address that appears on the DNI delivered to BBVA for the purposes:
      ***ADDRESS.3.


Therefore, the AEPD in this case is proposing a sanction based on art. 6 of the
RGPD for facts that have not yet been proven, that is, it understands the
illegality of the treatment without having previously ascertained whether they are really

illicitly processing the Claimant's data.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/42








Therefore, this party considers, in strict defense terms, that the AEPD is
exceeds its competence in qualifying identity verification measures
as insufficient, when demonstrated by the activity of ID Finance and the

relationship with its clients, which are exceptional cases in which the measures
applied by the entity do not give the expected results.


Even so, the AEPD itself in its Guide to “Risk management and impact assessment in
personal data processing” recognizes that zero risk does not exist, and ID Finance
is continually adopting improvements in its procedures to prevent
give cases of identity theft.


IX. B.- ASSUMED RISKS (Guide to “Risk management and impact assessment”
in personal data processing” -Page. 127)


“As noted above, the “zero risk” level does not exist. One has to
find a compromise between the level of residual risk achieved and the viability of the

treatment, which means making a decision when a risk level is
acceptable.”

Thus, this party considers that the aggravating circumstances imposed are excessive and not

correspond to this specific case since it has not been accredited by the
competent authorities in the matter that we are really facing a case of
identity fraud.


Despite the fact that the existence of the crime of impersonation of
identity by the Respondent or the AEPD, this part reiterates that the ID policy
Finance is to delete the data immediately with the mere presentation of the

complaint, since ID Finance prefers to increase its losses, that is, not
recover the capital borrowed or the interest accrued, than to harm someone
who has really been a victim of a crime, bearing all the damages that this
means for the activity of the entity itself.


Additionally, the AEPD maintains as a basis for the aggravating circumstance of art. 83.2. b of
GDPR that “Although the claimed party proceeded to block the personal data

of the complaining party on February 6, 2023, upon receipt of the copy of the
complaint to the National Police, where he reported that he had been the victim of a
identity theft, between April 15 and 16, 2023, he again requested his

registration in ASNEF-EQUIFAX”.

This party considers that the AEPD, in this case, has exceeded the scope of
its sanctioning competence in proposing the imposition of the aggravating circumstance related to the

blocking of the data, since it is not connected with the claim made by the
Claimant, who relies on the right to deletion of data for his deregistration
ASNEF-EQUIFAX, and which has never been brought to the attention of the AEPD
this event caused by a computer error as already explained in the

previous allegations made by ID Finance, and to which no third party has had any
access in accordance with art. 20.1.c of the LOPDGDD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/42









This means that no real harm has been caused to the Claimant since

that no one has been aware of this last inscription, which justifies, in
in any case, the magnitude of the amount of the proposed sanction.


Even so, it is worth mentioning that ID Finance, based on this error, has proceeded to
implement the appropriate technical measures to fix this bug, computer failure,
that affected the interested party but, in any case, it is very important to keep in mind

take into account, when grading the possible sanction, that no harm has been caused
damage since no third party has had access to this information.


Currently, the data is not registered in ASNEF and the Claimant's profile
is blocked in ID Finance systems, in accordance with the access policy
ID Finance (see Annex 1), so that only workers with a certain

degree of responsibility and certain departments can view them, with
in order to address possible police actions that may occur.

On the other hand, since this claim affects only one person, this party

considers that the aggravating circumstance of the article cannot be taken into consideration either
76.2 b) LOPDGDD regarding the linking of the offender's activity with the
processing of personal data, as has been alleged in the

previous allegations presented, since the processing of data subject to
alleged identity theft is not the main data processing of the
ID Finance activity.


Additionally, since the same aggravating factor related to the
linking the activity of the alleged infringer, both in the alleged infringement of the
art. 37.7, 17 and 6 of the GDPR, ID Finance considers that it is being repeatedly tried

for the same reason, violating the principle “non bis in idem” in accordance with the criteria
established jurisprudence.


For all these reasons, the violation of article 6 of the RGPD by
ID Finance and, we request, even taking into account unintentional human error in
which ID Finance has incurred, the archive of these proceedings, with the
commitment to improve all appropriate processes to prevent this type of occurrence

of such particular situations”

Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:



                                PROVEN FACTS

FIRST: On December 1, 2022, the complaining party requested deletion of

your personal data before the claimed party, providing a copy of the police report
presented on May 18, 2020.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/42








In response to said request, you receive a response from the claimed party informing that
The deletion is not appropriate as there is an outstanding debt.


SECOND: The claimed party responded to the exercise of rights presented by the
claimant on December 1, 2022, by email sent on
December 22 from ***EMAIL.1 to ***EMAIL.4, in response to the part
claimant, in which he indicates that:

“you cannot proceed to delete your personal data in our database

for having an unpaid loan” and that “if you suspect that you may have been a victim of
identity theft, we recommend that you report the facts to the
police and send us the complaint so that we can take the appropriate measures.”

Likewise, the claimed party points out that in response to the AEPD's requirement to

March 23, 2023, January 23, 2023 when FACUA forwards the complaint
before the police for identity theft presented by the claimant, proceeds to
apply the measures established for cases of fraud (1st- blocking of the company's data
claimant in our systems, 2nd paralyze the debt claim,
keeping the data blocked and limited in the processing given that it can be
required by the competent authorities for the investigation of the facts, and 3rd

remove the claimant's data from the asset solvency files).

THIRD: The claimed party re-registered the complaining party in ASNEF-
EQUIFAX between April 15 and 16, 2023.


                           FOUNDATIONS OF LAW

                                            Yo
                                     Competence


In accordance with the provisions of articles 58.2 and 60 of Regulation (EU) 2016/679
of the European Parliament and of the Council of April 27, 2016 on the protection
of natural persons with regard to the processing of personal data and the
free circulation of these data (GDPR), and as established in articles 47,
48.1, 64.2 and 68.1 and 68.2 of Organic Law 3/2018, of December 5, on Protection
of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD) is

competent to initiate and resolve this procedure the Director of the Agency
Spanish Data Protection.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”

                                           II

                                  Previous issues




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/42








In the present case, on March 9, 2020, a user account was opened for
through the website of the claimed entity, ***URL.1, using the personal data of
the complaining party.


To open said account, and according to information provided by the claimed party about the
procedure followed for this purpose, the personal data of the
claimant (name, ID, address, an image of your ID), a bank certificate,
a mobile phone number+***PHONE.2 and a certificate of ownership of
Bank account.


The investigative actions have made it possible to prove that the complaining party did not
was the owner of the mobile phone number+***TELEPHONE.2 (hereinafter, Numbering_1)
nor the bank account used in the account opening procedure.
indicated user.


Using the created user, a loan was requested; the claimed party accepted the
processed on March 9, 2020 as stated in the SMS sent to Numbering_1.

During the registration process, verification of the user identity of the website
the claimed party was based on the comparison, through a third company, of

name and NIF of the complaining party with those existing in the Agency's census
Tax and the receipt of an image of the DNI on both sides in response to the
requests sent by SMS to Number_1. The claimed party thus gave
verified the identity of the applicant.


Following its internal procedures in case of non-payment, the claimed party sent
different SMS notification and debt claim to Number_1 on days
May 14, 17 and 20, 2020, thus declaring the debt communicated, and the
registration in credit information systems, to the complaining party.


The complaining party reports, on May 18, 2020, to the National Police, having
received a letter from the claimed party in his mailbox two days before, demanding a
debt for a loan. In the complaint he states that he does not recognize the debt and has not
made any contract with the aforementioned company.

The defendant registered the claiming party in ASNEF-EQUIFAX, which includes

registration in the periods May 29 to June 8, 2020, July 10, 2020 to June 30
January 2023, and April 15 to 16, 2023.

The claimed party states that they have the consent of the party
complainant to the processing of his personal data and the authorization for its possible

registration in credit information systems based on
    - a contract in which there is no signature of the complaining party
    - communications via SMS to Number_1
    - responses from an IP address without proving its relationship with the party
       claimant, and

    - a certificate of account ownership whose information has been refuted
       after consulting the bank.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/42








The claimed party does not include, in the list of personal data that it claims to process,
copies of DNI images.


It has been proven that the defendant processed the data of the party
claimant, whom he registered in credit information systems for three
periods between the years 2020 and 2023.

As legal representative of the complaining party, FACUA Córdoba sent on December 12
September 2022 an email to the defendant requesting the deletion of

the personal data of your client. This request received no response. The part
claimed attributes this lack of response to an involuntary error on its part.

On December 1, 2022, the complaining party sent an email to the
complained requesting again the deletion of his personal data and received on 22

of December response from the person complained about, which considers the deletion to be inadmissible
there is an outstanding debt and urges the complaining party to report the impersonation
identity card and send a copy of the complaint.

On January 23, 2023, the complaining party again requested the deletion of its data
to the person claimed and filed a claim with the Spanish Agency for the Protection of

Data.

The claimed party states that it proceeded to block the data on February 6,
2023, after receipt of the copy of the complaint to the National Police. Without
However, it registered the complaining party again in ASNEF-EQUIFAX between the days

April 15 and 16, 2023.

                                           III

                           Allegations to the initiation agreement


The claimed party in its defense has made statements questioning the
violation of article 6 of the RGPD, as well as the aggravating circumstance related to negligence in
their performances.

In response to such statements, the AEPD must indicate that such statements

are to a certain extent contradictory, since on the one hand he affirms that his actions have
has been diligent since it has deleted the personal data of the complaining party,
in accordance with the procedure established in these cases, when in March
2023, through FACUA, was aware of the complaint filed by the party
claimant, for identity theft by not recognizing the debt that the party

claimed demands.

However, despite indicating that the solvency file has been lowered
property at the request of the claimed entity, the AEPD has verified that the
data of the complaining party were again registered in the files of

patrimonial solvency in April 2023 at the request of the claimed party.

On the other hand, the claimed entity initially states that this new
inclusion was due to a technical failure, but then says that in reality it only

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/42








The data was blocked and the deletion order was never given, since it has not been accredited
that said identity theft has occurred.


The AEPD considers that the actions of the claimed entity have been negligent and that
there is a clear violation of article 6 of the RGPD, since the data of the part
claimant have been included in a solvency file illegally since the
claimed party has processed personal data despite not
be found in none of the cases that legitimize said data processing
personal.


The claimed entity alleges a legitimate interest based on the claimed party being the
debt holder. However, the ownership of the debt subject to inclusion in the
financial solvency file cannot be considered true, after presenting
complaint in March 2023 to the police, by the complaining party, for impersonation

of identity, and before the consumer association FACUA. Such facts show
that the claiming party has not recognized said debt, and that it questions it because
You do not have any signed contract with the claimed entity.

Therefore, if the ownership of the debt subject to inclusion in the solvency file
patrimonial cannot be accredited by the claimed party, it cannot request its

inclusion in any asset solvency file until it is proven that the
claiming party is the owner of said debt.

So requesting the inclusion of the personal data of the complaining party in
a financial solvency file for a debt whose ownership has been questioned

and the claimed entity has not been able to prove, it represents a clear violation of the article
6 of the RGPD, since unlawful processing of personal data is being carried out.

Such events are aggravated by a lack of diligence on the part of the entity.
claimed, since despite having been informed by FACUA that the complaining party

does not recognize the debt, has not proceeded to cancel the registration in the file of
financial solvency of the data of the complaining party.

                                           IV

                                  GDPR Article 6


The GDPR in its article 4.11 defines the consent of the interested party as “any
manifestation of free, specific, informed and unequivocal will by which the
interested party accepts, either by a declaration or a clear affirmative action, the
processing of personal data that concerns you.”


In relation to the legality of the processing of personal data, article 6.1
of the GDPR, establishes the following:

"1. Treatment will only be legal if at least one of the following is met

conditions:

a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/42








b) the processing is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;

c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;

d) the processing is necessary to protect vital interests of the interested party or another
Physical person;

e) the processing is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the controller;

 f) the processing is necessary for the satisfaction of legitimate interests pursued

by the person responsible for the treatment or by a third party, provided that regarding said
interests do not prevail over the interests or fundamental rights and freedoms of the
interested party requiring the protection of personal data, in particular when the
interested is a child.

The provisions of letter f) of the first paragraph will not apply to the treatment
carried out by public authorities in the exercise of their functions.”

In relation to credit information systems, we must go to article 20
of the LOPDGDD, highlighting its section b), which establishes the following:

"1. Unless proven otherwise, the processing of personal data will be presumed lawful.
relating to the breach of monetary, financial or credit obligations by

common credit information systems when the following are met
requirements:

a) That the data has been provided by the creditor or by someone acting on their own behalf
or interest.

b) That the data refer to certain debts, due and payable, whose existence or
amount had not been the subject of an administrative or judicial claim by the debtor or
through a binding alternative dispute resolution procedure between the
parts.

c) That the creditor has informed the affected party in the contract or at the time of

require payment regarding the possibility of inclusion in said systems, with
indication of those in which he participates.

The entity that maintains the credit information system with data related to the
breach of monetary, financial or credit obligations must notify the
affected by the inclusion of such data and will inform you about the possibility of exercising the
rights established in articles 15 to 22 of Regulation (EU) 2016/679 within
of the thirty days following notification of the debt to the system, remaining

data blocked during that period.

d) That the data is only kept in the system as long as the data persists.
non-compliance, with a maximum limit of five years from the expiration date of
the monetary, financial or credit obligation.

e) That the data referring to a specific debtor can only be
consulted when the person consulting the system maintained a contractual relationship
with the affected person that involves the payment of a pecuniary amount or this would have

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/42








requested the execution of a contract that involves financing, deferred payment or
periodic billing, as happens, among other cases, in those provided for in the
legislation on consumer credit contracts and real estate credit contracts.

When the right to limit processing has been exercised before the system
of the data challenging its accuracy in accordance with the provisions of article 18.1.a) of the

Regulation (EU) 2016/679, the system will inform those who can consult it with
accordance with the previous paragraph about the mere existence of said circumstance, without
provide the specific data with respect to which the right has been exercised, in
so much is resolved on the request of the affected person.

f) That, in the event that the request to conclude the contract is denied, or it
will not be held, as a consequence of the consultation carried out, whoever has
Once the system has been consulted, inform the affected person of the result of said consultation.



2. The entities that maintain the system and the creditors, regarding the treatment
of the data referring to their debtors, will have the status of co-responsible for the

processing of the data, the provisions established by article 26 of the
Regulation (EU) 2016/679.

It will be up to the creditor to guarantee that the requirements for the
inclusion in the debt system, answering for its non-existence or inaccuracy.


3. The presumption referred to in section 1 of this article does not cover the
cases in which the credit information was associated by the entity that

maintain the system with information additional to that contemplated in said
section, related to the debtor and obtained from other sources, in order to carry out
outlining it, in particular through the application of techniques of
credit rating.”

                                            V


           Classification and classification of the violation of article 6 of the RGPD

If confirmed, the aforementioned violation of article 6 of the RGPD could mean the
commission of the infractions classified in article 83.5 of the RGPD that under the

The section “General conditions for the imposition of administrative fines” provides:

“Infractions of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:


 a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9; (…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that

“The acts and conduct referred to in sections 4,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/42








5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”


For the purposes of the limitation period, article 72 “Infringements considered very
“serious” of the LOPDGDD indicates:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe violations that involve three years
a substantial violation of the articles mentioned therein and, in particular, the

following:

    a) The processing of personal data without any of the
    conditions of legality of the treatment established in article 6 of the Regulation
    (EU) 2016/679. (…)”


It is considered that the reported facts represent a violation of article 6.1 of the
GDPR. In this sense, and according to the information available after the
investigative actions carried out, the complaining party did not contract any debt
with the claimed party, so the budget that motivated the data processing
personal details of the complaining party and its registration in the solvency file

patrimonial has not been justified. In this sense, it is appreciated the lack of
a legitimizing basis for the processing of personal data carried out and, therefore,
an alleged violation of article 6 of the GDPR.

On the other hand, although the claimed party claims to have blocked the data of the

claimant on February 6, 2023, after learning of the complaint filed
by the complaining party before the National Police for identity theft, it has been
found that the complained party re-included the complaining party's data in
the ASNEF-EQUIFAX solvency file, on April 15 and 16, 2023,
circumstance that demonstrates that the processing of the personal data of

the complaining party

                                           SAW

                                 Article 17 of the GDPR


Article 17 of the GDPR, in relation to the right of deletion ("the right to
oblivion") establishes the following:

"1. The interested party will have the right to obtain without undue delay from the person responsible for the
processing the deletion of personal data that concerns you, which will be

obliged to delete personal data without undue delay when any
of the following circumstances:

a) the personal data are no longer necessary in relation to the purposes for which they were
were collected or otherwise treated;


b) the interested party withdraws the consent on which the treatment is based in accordance
with Article 6(1)(a) or Article 9(2)(a) and this is not
based on another legal basis;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/42









c) the data subject objects to the processing in accordance with Article 21(1) and does not
other legitimate reasons for the processing prevail, or the interested party opposes the

treatment pursuant to Article 21(2);

d) the personal data have been processed unlawfully; e) personal data
must be deleted for compliance with a legal obligation established in the
Union or Member State law applicable to the person responsible for the
treatment;


f) the personal data have been obtained in relation to the offer of services of the
information society mentioned in Article 8, paragraph 1.

2. When you have made personal data public and are obliged, by virtue of the

provided in section 1, to delete said data, the person responsible for the treatment,
taking into account the available technology and the cost of its application, it will adopt
reasonable measures, including technical measures, with a view to informing
responsible parties who are processing the personal data of the interested party's request for
deletion of any link to that personal data, or any copy or replication of
the same.


3. Sections 1 and 2 will not apply when treatment is necessary:

a) to exercise the right to freedom of expression and information;


b) for compliance with a legal obligation that requires data processing
imposed by Union or Member State law applicable to the
responsible for the treatment, or for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the person responsible;


c) for reasons of public interest in the field of public health in accordance with
Article 9, paragraph 2, letters h) and i), and paragraph 3;

d) for archival purposes in the public interest, scientific or historical research purposes or
statistical purposes, in accordance with Article 89(1), to the extent that
the right indicated in paragraph 1 could make it impossible or hinder

seriously the achievement of the objectives of said treatment, or

e) for the formulation, exercise or defense of claims.”

                                            VII

                   Typification and qualification of article 17 of the RGPD

If confirmed, the aforementioned violation of article 17 of the RGPD could mean the
commission of the infractions classified in article 83.5 of the RGPD that under the
The section “General conditions for the imposition of administrative fines” provides:

“Infractions of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/42








global total annual business volume of the previous financial year, opting for
the largest amount:


    b) the rights of the interested parties under articles 12 to 22; (…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”


For the purposes of the limitation period, article 72 “Infringements considered very
“serious” of the LOPDGDD indicates:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,

considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:

k) The impediment or obstruction or repeated failure to attend to the exercise of the
rights established in articles 15 to 22 of Regulation (EU) 2016/679. (…)”


It is considered that the reported facts represent a violation of article 17 of the
RGPD, regarding the right to deletion of personal data, since the first
request, made by FACUA on behalf of the claimant in September 2022, does not
was responded to due to what the claimed party qualifies as an “involuntary error.”


Once the complaining party has exercised its right again, acting in its own name,
receives a response in which it is informed of the existence of a debt that prevents
that your data may be deleted from the asset solvency file. In bliss
response, you are required to provide, if applicable, a police report that had

presented in case of suspicion of having been a victim of fraud; a document
which had already been provided by the complaining party in the application being processed
giving response. Finally, the complaining party submits a new request,
through its representative, which is the subject of a response and which indicates that it has been
proceeded to block your data.


However, as demonstrated by the fact that, after that response
and, therefore, to the alleged blocking of the personal data of the claimant, her
data were again incorporated into the asset solvency file, the right to
deletion of your personal data was not effectively satisfied.


Therefore, we are faced with the repeated violation of the right of deletion
exercised by the complaining party.

                                           VIII


                                Article 37.7 of the GDPR

Article 37 of the GDPR, regarding the appointment of the data protection officer
establishes the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 31/42









"1. The person responsible and the person in charge of the treatment will appoint a delegate of
data protection provided that:


a) the treatment is carried out by a public authority or body, except for
courts acting in the exercise of their judicial function;

b) the main activities of the person responsible or the person in charge consist of
processing operations that, due to their nature, scope and/or purposes,

require regular and systematic observation of large-scale stakeholders, or

c) the main activities of the person responsible or the person in charge consist of the
large-scale processing of special categories of personal data in accordance with
Article 9 and data relating to convictions and criminal offenses referred to in the

article 10.

2. A business group may appoint a single data protection officer
as long as it is easily accessible from each establishment.

3. When the person responsible or in charge of the treatment is an authority or

public body, a single data protection officer may be appointed to
several of these authorities or organizations, taking into account their structure
organizational and size.

4. In cases other than those contemplated in section 1, the person responsible or the

person in charge of the treatment or the associations and other organizations that represent
categories of managers or managers may designate a protection delegate
of data or must designate it if required by Union or State law.
members.


The data protection officer may act on behalf of these associations and
other organizations that represent those responsible or in charge.

5. The data protection officer will be appointed based on their qualities
professionals and, in particular, their specialized knowledge of Law and
practice regarding data protection and its ability to perform the

functions indicated in article 39.

6. The data protection officer may be part of the staff of the
responsible or the person in charge of the treatment or perform their functions within the framework
of a service contract.


7. The controller or the person in charge of the treatment will publish the contact details of the
data protection delegate and will communicate them to the supervisory authority.”

In relation to the previously indicated precept, article 34 of the LOPDGDD,

regarding the appointment of a data protection officer, establishes what
following:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/42








"1. Those responsible and in charge of the treatment must designate a delegate of
data protection in the cases provided for in article 37.1 of the Regulation
(EU) 2016/679 and, in any case, when it comes to the following entities:


a) Professional associations and their general advice.

b) Educational centers that offer teaching at any level
established in the legislation regulating the right to education, as well as the
Public and private universities.


c) Entities that operate networks and provide communications services
electronic communications in accordance with the provisions of their specific legislation, when they deal
routinely and systematically personal data on a large scale.


d) Information society service providers when they prepare
large-scale profiles of service users.

e) The entities included in article 1 of Law 10/2014, of June 26, of
organization, supervision and solvency of credit institutions.


f) Financial credit establishments.

g) Insurance and reinsurance entities.

h) Investment services companies, regulated by the legislation of the Investment Market.

Values.

i) Distributors and marketers of electrical energy and distributors and
natural gas marketers.


j) The entities responsible for common files for the evaluation of solvency
assets and credit or common files for the management and prevention of
fraud, including those responsible for the files regulated by the legislation of
prevention of money laundering and terrorist financing.

k) Entities that develop advertising and commercial prospecting activities,

including commercial and market research, when carrying out
treatments based on the preferences of those affected or carry out activities that
involve the development of their profiles.

l) Health centers legally obliged to maintain records

patient clinics.

Exceptions are health professionals who, even though they are legally obliged to
maintenance of patient medical records, carry out their activity on a voluntary basis
individual.


m) Entities that have the issuance of reports as one of their objects
commercials that may refer to natural persons.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/42








n) Operators that develop gaming activity through channels
electronic, computer, telematic and interactive, in accordance with the regulations of
regulation of the game.


ñ) Private security companies.

o) Sports federations when they process data of minors.

2. Those responsible or in charge of the treatment not included in the previous paragraph

may voluntarily designate a data protection officer, who
will be subject to the regime established in Regulation (EU) 2016/679 and in the
present organic law.

3. Those responsible and in charge of the treatment will communicate within a period of ten

days to the Spanish Data Protection Agency or, where appropriate, to the authorities
autonomous data protection regulations, the designations, appointments and dismissals of
data protection delegates both in the cases in which they are
obliged to their designation as in the case in which it is voluntary.

4. The Spanish Data Protection Agency and the autonomous authorities of

data protection will maintain, within the scope of their respective powers, a
updated list of data protection officers that will be accessible by means
electronics.

5. In compliance with the obligations of this article, those responsible and

Those in charge of treatment may establish full or timely dedication
partial of the delegate, among other criteria, depending on the volume of treatments,
the special category of the data processed or the risks to the rights or
freedoms of the interested parties.”


                                           IX

                  Typification and qualification of article 37.7 of the RGPD


If confirmed, the aforementioned violation of article 37.7 of the RGPD could mean the

commission of the infractions classified in article 83.4 of the RGPD that under the
The section “General conditions for the imposition of administrative fines” provides:

“Infractions of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the

global total annual business volume of the previous financial year, opting for
the largest amount:

a) the obligations of the controller and the processor in accordance with articles 8, 11, 25 a
39, 42 and 43; (…)”


In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/42








5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”


For the purposes of the limitation period, article 74 “Infringements considered minor” of
The LOPDGDD indicates:

“The remaining infractions of a nature are considered minor and will be subject to a one-year statute of limitations.”
merely form of the articles mentioned in sections 4 and 5 of article 83
of Regulation (EU) 2016/679 and in particular, the following:


p) Do not publish the contact details of the data protection officer or not
communicate them to the data protection authority, when their appointment is
enforceable in accordance with article 37 of Regulation (EU) 2016/679 and article 34
of this Organic Law.”


It is considered that the reported facts represent a violation of article 37.7
of the RGPD, in relation to article 34.1 f) of the LOPDGDD, relating to the
designation of the data protection delegate and its communication to the authority
of control, since it has been verified through the previous actions carried out on
01/18/2024, that the party claimed until the moment of carrying out such

investigative actions had not communicated its Protection Delegate
Data to the AEPD.

Therefore, it is considered that the claimed party has committed a violation of the
precepts indicated as it has been proven that there is no evidence that he has appointed

to a data protection officer, published your data or carried out the due
communication to the AEPD of these.

                                          x


                             Graduation of sanctions

Article 58.2 of the GDPR provides the following: “Each supervisory authority will have
of all the following corrective powers indicated below:

b) sanction any person responsible or in charge of the treatment with a warning

when the processing operations have violated the provisions of this
Regulation;

d) order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where applicable,

in a certain way and within a specified period;

i) impose an administrative fine in accordance with Article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;


In order to determine the administrative fine to impose, the following must be observed:
provisions of articles 83.1 and 83.2 of the RGPD, provisions that indicate:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/42








"1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this
Regulations indicated in sections 4, 5 and 6 are in each individual case

effective, proportionate and dissuasive.

2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:


a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;


b) intentionality or negligence in the infringement;

c) any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties;


d) the degree of responsibility of the person responsible or in charge of the treatment,
taking into account the technical or organizational measures that have been applied under
of articles 25 and 32;

e) any previous infringement committed by the controller or processor;


f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;


h) the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, in what
extent;

i) when the measures indicated in Article 58, paragraph 2, have been ordered

previously against the person responsible or the person in charge in question in relation to the
same matter, compliance with said measures;

j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with article 42,


k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or
indirectly, through infringement.”


For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD
has:

"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/42








(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.


2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

a) The continuous nature of the infringement.

b) The linking of the offender's activity with the performance of medical treatment.

personal information.

c) The benefits obtained as a consequence of the commission of the infraction.

d) The possibility that the conduct of the affected person could have induced the commission

of the infringement.

e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.

f) The impact on the rights of minors.


g) Have, when not mandatory, a data protection delegate.

h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which

"There are disputes between them and any interested party."

Penalty for violation of article 6 of the GDPR.

In accordance with the transcribed precepts, and without prejudice to what results from the

instruction of the procedure, in order to set the amount of the sanction for each
violation, the fine for the violation of article 6 is graduated taking into account
account:

As an aggravating factor:


Article 83.2.b) RGPD: “negligence in data processing” since it carries out the
processing of personal data, requesting the inclusion of personal data in
assets solvency files, without having a legitimizing basis for said
treatment, taking into account that the complaining party claims not to have contracted the
debt due to having been the subject of alleged identity theft, facts that

report to the Police.

Although the claimed party proceeded to block the personal data of the party
claimant on February 6, 2023, after receiving the copy of the complaint before the
National Police, where he reported that he had been a victim of impersonation of
identity, between April 15 and 16, 2023, re-requested registration in
ASNEF-EQUIFAX.


Article 76.2 b) LOPDGDD: “The linking of the offender's activity with the
carrying out personal data processing”. The activity of the claimed entity
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/42








requires continuous processing of personal data. Likewise, the entity
claimed carries out a high volume of
processing of personal data.


Considering the exposed factors, that is, negligence in the treatment of
data, the linking of the offender's activity with the performance of data processing
personal data and the repetition of the commission of the same infraction by the entity
claimed, allow the initial assessment of the amount of the fine to be 100,000
€ for the violation of article 6 of the aforementioned RGPD.


Penalty for violation of article 17 of the GDPR

In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to set the amount of the sanction for each

violation, the fine for the violation of article 17 is graduated taking into account
account:

As an aggravating factor:

Article 83.2.b) RGPD: “negligence in data processing” since the party

claimed despite being aware of the request for data deletion
of the claimed party, does not effectively proceed to its deletion.

Negligence in the processing of personal data arises from the facts that
appear in the file: the first request for deletion made by the party
complainant was not attended to, the second was responded to without considering the complaint

made to the police that the claimed party indicates was sent along with the
request for deletion and, finally, despite the fact that in response provided with
dated February 6, 2023, it is indicated that the claimant's request has been attended to, the
inclusion again at a later time in the asset solvency file
It seems to prove that this was not the case.

Article 76.2 b) LOPDGDD: “The linking of the offender's activity with the

processing of personal data”, since the activity of the entity
claimed requires continuous processing of personal data. Likewise, the
The claimed entity carries out a high volume of
processing of personal data.


Considering the exposed factors, that is, negligence in the treatment of
data, the linking of the offender's activity with the performance of data processing
personal data and the repetition of the commission of the same infraction by the entity
claimed, allow the initial valuation that reaches the amount of the fine to be
€100,000 for violation of article 17 of the GDPR, for violating the measures
necessary to respond efficiently to the exercise of the right of deletion

made by the complaining party.

Penalty for violation of article 37.7 of the GDPR

In accordance with the transcribed precepts, and without prejudice to what results from the

instruction of the procedure, in order to set the amount of the sanction for each
violation, the fine for the violation of article 37 is graduated taking into account
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/42








account:

As an aggravating factor:


Article 83.2.b) RGPD: “negligence in data processing” since, despite
have knowledge of the claim presented by the complaining party before the
AEPD, and have made allegations in which they identify the actions carried out
carried out by its data protection officer, there is no evidence of the effective appointment of
this nor the formal communication of your data by the claimed party to this Agency, which

which demonstrates a lack of diligence on the part of the claimed entity.

Article 76.2 b) LOPDGDD: “The linking of the offender's activity with the
processing of personal data”, since the activity of the entity
claimed requires continuous processing of personal data. Likewise, the
The claimed entity carries out a high volume of
processing of personal data.


Considering the exposed factors, that is, negligence in the treatment of
data, the linking of the offender's activity with the performance of data processing
personal data and the repetition of the commission of the same infraction by the entity
claimed, allow the initial valuation that reaches the amount of the fine to be

€25,000 for violation of article 37.7 of the RGPD in relation to article 34.1 f) of
the LOPDGDD, for not having communicated the data related to the Protection Delegate
Data of the claimed entity.

                                           XI

                                       Measures

As a consequence of each of the indicated infractions, it is agreed to impose on the
responsible for adopting appropriate measures to adjust its actions to the
regulations mentioned in this act, in accordance with the provisions of the aforementioned article
58.2 d) of the RGPD, according to which each supervisory authority may “order the

responsible or in charge of the treatment that the treatment operations are
comply with the provisions of this Regulation, where applicable, in a manner
certain manner and within a specified period….”

The imposition of this measure is compatible with the sanction consisting of a fine

administrative, according to the provisions of art. 83.2 of the GDPR.

Measures by article 6 of the GDPR

In relation to the violation of article 6 of the GDPR, the measures consist of

notify within a maximum period of one month from the notification of the resolution that is
adopt within the framework of this sanctioning procedure the adoption of the following
measures:

     Certification that there is no registration, requested by the complaining party and

       in relation to the debt of which this procedure is the subject, of the
       personal data of the complaining party in the asset solvency file
       ASNEF-EQUIFAX,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/42









     Effective improvements in the identity verification procedure that
       allow adequate verification of the identity of users requesting

       credits and that guarantee compliance with the principle of minimization of
       data provided for in article 5.1 c) of the RGPD

Measures by article 17 of the GDPR


In relation to the violation of article 17 of the GDPR, the measures consist of
notify, within a period of one month, from the notification of the resolution of this
sanctioning procedure the adoption of the following measures:

     The approval of an adequate procedure that guarantees that it does not produce a

       processing of personal data, after having confirmed its deletion,
       as a consequence of an exercise of the right of deletion.

     The approval of a procedure that guarantees a quick and efficient response
       effective, of requests to exercise the right of deletion by

       Your clients.

Measures by article 37.7 of the RGPD in relation to article 34.1 f) of LOPDGDD

In relation to the violation of article 37.7 of the GDPR in connection with article 34.1

f) of LOPDGDD, the measures consist of notifying, within a period of one month, from the
resolution that is adopted from this sanctioning procedure, the data of the
data protection delegate of the entity complained to the AEPD.

Please note that failure to comply with the requirements of this Agency may be
considered as an administrative offense in accordance with the provisions of the RGPD,

classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.

In view of the above, the following is issued:


                           MOTION FOR RESOLUTION

That the Director of the Spanish Data Protection Agency sanction
IDFINANCE SPAIN, S.A.U., with NIF A66487190, for violations of the articles
6, 17 and 37.7 of the RGPD, typified in article 83.5.a), 83.5 b) and 83.4 a) of the RGPD

with a penalty of €100,000 for the violation of article 6 of the RGPD, €100,000 for
the violation of article 17 of the RGPD, and €25,000 for the violation of article 37.7 of the
RGPD in relation to article 34.1 f) of the LOPDGDD, which implies a sanction
for a total amount of 225,000 euros (two hundred and twenty-five thousand euros).

That the Director of the Spanish Data Protection Agency order

IDFINANCE SPAIN, S.A.U., with NIF A66487190, which by virtue of article 58.2.d) of the
RGPD, within a period of one month from the resolution adopted hereunder
sanctioning procedure, having proceeded to comply with the following
measures:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/42








     Certification that there is no registration, requested by the party
    claimant and in relation to the debt of which this is the subject
    procedure, of the personal data of the complaining party in the file of

    ASNEF-EQUIFAX equity solvency,

     Effective improvements in the identity verification procedure that
    allow adequate verification of the identity of users requesting
    credits and that guarantee compliance with the principle of data minimization

    provided for in article 5.1 c) of the GDPR

     The approval of an adequate procedure that guarantees that
    processing of personal data occurs, after having confirmed its
    deletion, as a consequence of an exercise of the right of deletion.


     The approval of a procedure that guarantees a quick and efficient response
    effective, of requests to exercise the right of deletion by its
    customers.


     Notify the details of the entity's data protection officer
    claimed to the AEPD.

Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be

informs that it may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
It will mean a 20% reduction in the amount. With the application of this
reduction, the penalty would be established at 180,000 euros and its payment will imply the
termination of the procedure, without prejudice to the imposition of the measures

corresponding.   The effectiveness of this reduction will be conditional on the
withdrawal or renunciation of any administrative action or appeal against the
sanction.

In the event that you choose to proceed with the voluntary payment of the specified amount
above, in accordance with the provisions of article 85.2 cited, you must do so

effective by depositing it into the restricted account IBAN number: ES00 0000 0000 0000
0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX) opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A., indicating
in the concept the reference number of the procedure that appears in the
heading of this document and the cause, for voluntary payment, of reduction of the

amount of the penalty. Likewise, you must send proof of entry to the
General Subdirectorate of Inspection to proceed to close the file.

In its virtue, you are notified of the above, and the procedure is made clear to you.
so that within a period of TEN DAYS you can allege whatever you consider in your defense and
present the documents and information that you consider pertinent, in accordance with

article 89.2 of the LPACAP.


                                                                               926-070623
Lorena Garcia Canales
INSPECTOR/INSTRUCTOR

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/42









>>


SECOND: On July 5, 2024, the claimed party has proceeded to pay
the sanction in the amount of 180,000 euros making use of the reduction provided in the
proposed resolution transcribed above.

THIRD: The payment made entails the waiver of any action or resource pending.
administrative against the sanction, in relation to the facts referred to in the

resolution proposal.

FOURTH: In the proposed resolution transcribed above, the
acts constituting an infraction, and it was proposed that, by the Director, the
responsible for adopting appropriate measures to adjust its actions to the

regulations, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”



                           FOUNDATIONS OF LAW

                                           Yo

                                     Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures."

                                           II
                            Termination of the procedure


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:


"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/42








2. When the sanction has only a pecuniary nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the

inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.


3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of

any administrative action or appeal against the sanction.

The reduction percentage provided for in this section may be increased
“regularly.”


In accordance with what has been stated, the Director of the Spanish Agency for the Protection of
Data RESOLVES:

FIRST: DECLARE the termination of procedure EXP202302929, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: ORDER to IDFINANCE SPAIN, S.A.U. so that within 1 month
Since this resolution is final and enforceable, notify the Agency of the
adoption of the measures described in the legal foundations of the
proposed resolution transcribed in this resolution.


THIRD: NOTIFY this resolution to IDFINANCE SPAIN, S.A.U..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.

                                                                             1331-16012024

Sea Spain Martí
Director of the Spanish Data Protection Agency






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es