AEPD (Spain) - EXP202315853: Difference between revisions
m (Spelling) |
m (Shortened) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 71: | Line 71: | ||
The data subject had entered into a contractual relationship with the bank in order to pay off a mortgage. On the 23 February 2022, the debt was paid off by transferring the property to a company in which the bank had an interest. In the credit information system, the data subject was able to see a list of instances when the bank accessed his data from March 2022 until January 2023 after the end of the contractual relationship. The data subject alerted the bank of this breach on the 29 March 2023 to which he received a response on the 29 May 2023 stating that the bank had initiated measures to block access to the data. | The data subject had entered into a contractual relationship with the bank in order to pay off a mortgage. On the 23 February 2022, the debt was paid off by transferring the property to a company in which the bank had an interest. In the credit information system, the data subject was able to see a list of instances when the bank accessed his data from March 2022 until January 2023 after the end of the contractual relationship. The data subject alerted the bank of this breach on the 29 March 2023 to which he received a response on the 29 May 2023 stating that the bank had initiated measures to block access to the data. | ||
The bank had recorded the full conclusion of the contract in May 2022 as the last month in which risk derived from the contract. The bank argued that it was justified in accessing the data as it had made a partial write-off of the debt and as it continued to finalise the loan payments. | The bank had recorded the full conclusion of the contract in May 2022 as the last month in which risk derived from the contract. The bank argued that it was justified in accessing the data as it had made a partial write-off of the debt and as it continued to finalise the loan payments. | ||
Line 79: | Line 77: | ||
The AEPD found that the bank had breached [[Article 6 GDPR#1|Article 6(1) GDPR]] by failing to demonstrate a legal basis for the data processing after the contract had ended. It detailed that within a period of six months pending the termination of the contractual relationship, measures must be taken to ensure that the processing of personal data is justified through [[Article 6 GDPR#1|Article 6(1) GDPR]]. | The AEPD found that the bank had breached [[Article 6 GDPR#1|Article 6(1) GDPR]] by failing to demonstrate a legal basis for the data processing after the contract had ended. It detailed that within a period of six months pending the termination of the contractual relationship, measures must be taken to ensure that the processing of personal data is justified through [[Article 6 GDPR#1|Article 6(1) GDPR]]. | ||
The AEPD set the initial fine at €300,000 based on the bank’s annual turnover. Pursuant to [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015], a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €180,000. | |||
The AEPD set the initial fine at €300,000 based on the bank’s annual turnover. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €180,000. | |||
== Comment == | == Comment == |
Latest revision as of 15:01, 5 November 2024
AEPD - EXP202315853 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Law 39/2015 |
Type: | Complaint |
Outcome: | Upheld |
Started: | 17.11.2023 |
Decided: | 24.10.2024 |
Published: | |
Fine: | 180,000 EUR |
Parties: | Ibercaja Banco |
National Case Number/Name: | EXP202315853 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Ao |
The DPA fined a bank €180,000 for accessing the data of a former customer more than 47 times without any legal basis under Article 6(1) GDPR after the contractual relationship had ended.
English Summary
Facts
On the 17 September 2023, the data subject lodged a complaint with the Spanish DPA (AEPD) against Ibercaja Banco. The data subject claimed that although his contractual relationship with the bank had ended on the 23 February 2022, the bank accessed his file up to 47 times between March 2022 and January 2023.
The data subject had entered into a contractual relationship with the bank in order to pay off a mortgage. On the 23 February 2022, the debt was paid off by transferring the property to a company in which the bank had an interest. In the credit information system, the data subject was able to see a list of instances when the bank accessed his data from March 2022 until January 2023 after the end of the contractual relationship. The data subject alerted the bank of this breach on the 29 March 2023 to which he received a response on the 29 May 2023 stating that the bank had initiated measures to block access to the data.
The bank had recorded the full conclusion of the contract in May 2022 as the last month in which risk derived from the contract. The bank argued that it was justified in accessing the data as it had made a partial write-off of the debt and as it continued to finalise the loan payments.
Holding
The AEPD found that the bank had breached Article 6(1) GDPR by failing to demonstrate a legal basis for the data processing after the contract had ended. It detailed that within a period of six months pending the termination of the contractual relationship, measures must be taken to ensure that the processing of personal data is justified through Article 6(1) GDPR.
The AEPD set the initial fine at €300,000 based on the bank’s annual turnover. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €180,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/15 File No.: EXP202315853 RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY PAYMENT From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On October 1, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against IBERCAJA BANCO, S.A. (hereinafter, the respondent party), through the Agreement transcribed below: << File No.: EXP202315853 (PS/00380/2024) AGREEMENT TO START SANCTIONING PROCEDURE From the actions carried out by the Spanish Data Protection Agency and based on the following: FACTS FIRST: On 09/17/23, Ms. A.A.A. (the complaining party), filed a complaint with the Spanish Data Protection Agency. The complaint was directed against the entity IBERCAJA BANCO, S.A. (Ibercaja) with NIF.: A99319030, (the respondent party), for the alleged violation of the data protection regulations: Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27/04/16, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of these Data (RGPD), Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD). The claim was based on the following points: - That the contractual relationship he had with Ibercaja ended on 23/02/22 after the cancellation of a mortgage contract, being notarized, - That nevertheless, he was aware that the financial institution accessed his personal data existing in the BADEXCUG EXPERIAN asset file, on up to 47 occasions, from March 2022 to January 2023. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/15 - That he sent an email to the Ibercaja SAC on 29/03/23, to which the entity responded on 29/05/23 informing that they were proceeding to block the data, although the accesses to the file had already occurred. The following documentation is attached to the claim: - First page of the deed of sale, dated 02/23/22, with cancellation of the mortgage charge, in which the claimant appears as one of the sellers. - Certificate, dated 02/23/22, issued by the representative of the defendant, certifying that the claimant is, along with other persons, the holder of a mortgage loan, as well as: “3. That the parties reached an agreement by which the Debtors undertook to pay the Loan Debt by selling the mortgaged property to the IBERCAJA group at market price, and IBERCAJA undertook, once the sale was formalized and its possession delivered, to issue a letter of payment and settlement of the Loan Debt. (…) 4. That the Debtors, in execution of the aforementioned, have transferred the mortgaged property to (…), a company owned by IBERCAJA, for its market value, and IBERCAJA has granted a letter of payment and full settlement of the debt owed by the Debtors, referred to in the first section, expressly waiving the right to exercise any new action to claim it and to desist, where appropriate, from any actions it has taken up to that time against the Debtors, whether judicial or extrajudicial, to claim the aforementioned debt.” - BADEXCUG Report, dated 03/24/23, which includes all the queries made by the defendant party, from 04/01/18 to 01/08/23. This report contains the details of other debts recorded in the file at the request of IBERCAJA. However, it is noted that all of them are cancelled prior to the events that motivate the procedure: o Date subscriber identifier o (…) o 02/27/2022 00:29 ***NIF.1 IBERCAJA o 02/27/2022 01:19 “ IBERCAJA o (…) o 07/17/2022 00:24 “ IBERCAJA o 08/28/2022 00:31 “ IBERCAJA o 08/28/2022 01:55 “ IBERCAJA o 09/04/2022 00:20 “ IBERCAJA o 09/04/2022 02:07 “ IBERCAJA o 09/11/2022 00:24 “ IBERCAJA C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/15 o (…) o 25/12/2022 02:46 “ IBERCAJA o 01/01/2023 00:32 “ IBERCAJA o 01/01/2023 02:00 “ IBERCAJA o 08/01/2023 00:33 “ IBERCAJA o 08/01/2023 02:36 “ IBERCAJA - Complaint addressed, by email dated 03/29/23, to the respondent. In said email, the consultation of your personal data is stated monthly in an illegitimate manner, since you do not have any right to credit since 02/23/22. Likewise, she requests that these practices cease immediately. - Response received by the complainant, by email dated 03/29/23, in which she is informed that her personal data has been blocked in accordance with Article 32 of the LOPDGDD. - Report from the Central Risk Information Office of the Bank of Spain, dated 02/21/23, regarding the complainant's "aggregate risk report" between the months of May 2022 to January 2023 and which highlights the operations corresponding to the month of May 2022: o "... Data on operations corresponding to personnel Risk Drawn Amounts in euro units: XXXXXXXXXXXXXXXX… Transfer of data for this operation suspended by application of Article 66 of Law 44/2002 of November 22. IBERCAJA BANCO, S.A…” SECOND: On 13/11/23, in accordance with the mechanism prior to the admission for processing of claims made to the AEPD, provided for in article 65.4 of the LOPDGDD, which consists of forwarding them to the data protection delegates designated by the data controllers or processors, or to these when they have not been designated, and for the purpose indicated in the referred article, the claim was forwarded to the respondent party so that it could proceed to analyze it and respond within one month. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (LPACAP), was notified on 13/11/23, as shown in the file. THIRD: On 14/12/23, this Agency received a written response from the respondent to the request for information made, in which it is stated that: - That the relationship with the claimant was the result of a mortgage loan formalized on 30/05/06, the non-payment of which led to a judicial debt collection procedure on 28/06/18. Subsequently, this judicial process resulted in provisional execution. However, both procedures were resolved through extrajudicial satisfaction after the signing C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/15 of a settlement agreement between the parties, on 23/02/22. The resolutions issued in the framework of said procedures were last notified on 27/04/22. - That in the settlement agreement signed between the parties, Ibercaja agreed to make a partial write-off of the debt, since the value of the mortgaged property transferred in payment did not cover the entire amount owed. After signing said agreement, Ibercaja proceeded to regularize the situation of the loan, eliminating the related information from the EXPERIAN-BADEXCUG file and the CIRBE. The final cancellation took place on 05/29/23 by blocking the corresponding data in its database, as THIRD: On 12/17/23, in accordance with article 65.5 of the LOPDGDD, the claim submitted was admitted for processing, (AT/05840/2023). FOURTH: On 12/20/23, after analyzing the documentation in the file, a resolution was issued by the Director of the Spanish Data Protection Agency in file AT/05840/2023, agreeing to file the claim due to the lack of rational indications of the existence of an infraction within the scope of the competence of the Spanish Data Protection Agency, and consequently, not proceeding to open a sanctioning procedure. The resolution was notified to the appellant on 12/20/23, as shown in the file. FIFTH: On 01/17/24, the claimant filed an optional appeal for reconsideration (RR/00038/2024) against the resolution issued in file AT/05840/2023, in which it expresses its disagreement with the contested resolution, requesting that the processing of the initial claim filed with the AEPD continue, based on the fact that the respondent had made repeated inquiries to its delinquency data in the BADEXCUG file, without having any contractual relationship with it and that the reports and documentation presented were not correctly taken into account, since they were not adequately assessed, since, by themselves, they had a key probative value of what it was saying. SIXTH: On 07/24/24, the Directorate of the Data Protection Agency issued a decision in favor of the appeal for reconsideration (RR/00038/2024), on the basis that the respondent has not proven the legality of the access to the claimant's personal data, carried out in the BADEXCUG credit information system after having ended their contractual relationship. LEGAL BASIS I. Competence In accordance with the provisions of articles 58.2 and 60 of the GDPR and the provisions of articles 47, 48.1, 64.2 and 68.1 and 68.2 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/15 Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures.” II. Unfulfilled obligation We must begin by recalling that article 4 of the GDPR defines, in its sections 1 and 2, the terms “personal data”; “processing” as follows: “1) “personal data”: all information about an identified or identifiable natural person (“the data subject”); An identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; “2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of access, alignment or combination, restriction, erasure or destruction; For its part, the “Principle of legality” in the processing of personal data implies that all data processing must have a legal basis that justifies it, that is, it must be in accordance with a law and cannot be carried out in an arbitrary or unlawful manner, (Article 5.1.a) of the GDPR), so it is required that it is proven that the owner of the data consented to the processing of the same or that any other legitimizing cause established in art. 6 of the GDPR exists. That is: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/15 “1. The processing will only be lawful if at least one of the following conditions is met: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party or for the application at the request of the data subject of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the data controller; d) the processing is necessary to protect the vital interests of the data subject or of another natural person; e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; f) the processing is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular when the data subject is a child…” In this regard, and in application to the case at hand, sections 20.1.e) of the LOPDGDD, on “Credit information systems”, establishes that: “1. Unless proven otherwise, the processing of personal data relating to the failure to comply with monetary, financial or credit obligations by common credit information systems shall be presumed to be lawful when the following requirements are met: e) That the data referring to a specific debtor may only be consulted when the person consulting the system has a contractual relationship with the affected party that involves the payment of a monetary amount or the affected party has requested the conclusion of a contract that involves financing, deferred payment or periodic billing, as occurs, among other cases, in those provided for in the legislation on consumer credit contracts and real estate credit contracts. When the right to limit the processing of data by challenging its accuracy has been exercised before the system in accordance with the provisions of Article 18.1.a) of Regulation (EU) 2016/679, the system will inform those who could consult it in accordance with the previous paragraph about the mere existence of this circumstance, without providing the specific data regarding C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/15 which the right had been exercised, while the request of the affected party is being resolved. In the present case, from the information and documentation in the file it is clear that there was a contractual relationship between the claimant and the defendant through a mortgage loan, the non-payment of which gave rise to a judicial procedure for debt collection and subsequently to a provisional enforcement procedure. That both procedures were terminated on 02/23/22 by extra-procedural satisfaction as a result of the signing of a settlement agreement before a notary, and this is stated in the certificate dated 02/23/22, issued by the defendant, in which it certifies, among other issues, that the debtors proceeded to transfer the mortgaged property to a company owned by Ibercaja, as payment of the debt, for its market value. In said agreement, the defendant granted a letter of payment and a full settlement of the debt, expressly waiving any subsequent action to claim it and desisting from judicial or extrajudicial actions. Furthermore, according to the reports of the Central Risk Office of the Bank of Spain (CRBE), the regularization of the mortgage contract concluded in May 2022, this being the last month in which the defendant entity declared the risk derived from the contract. However, according to the claim filed and the documentation provided by the claimant, it is noted that the respondent entity accessed the personal data of the claimant contained in the Badexcug-Experian solvency files on at least 47 occasions after the end of the contractual relationship on 23/02/22. These accesses took place between March 2022 and January 2023. The respondent entity, in its response to the transfer of proceedings, justified said accesses by arguing that, within the framework of the settlement agreement, the entity had performed a partial write-off of the debt, since the value of the transferred property did not cover the entire amount owed. He also stated that, after signing the agreement, he proceeded to regularize the loan situation, eliminating the information on it from both the EXPERIAN-BADEXCUG and CIRBE files, until the definitive cancellation of the operation by blocking the information in his database on 05/29/23. However, such statements have not been supported by documentation that refutes this claim. Well, we have seen how data processing requires the existence of a legal basis that legitimizes it and we see this in article 6.1 of the GDPR, which apart from consent, establishes other possible bases that can legitimize the processing of data without the need to have the authorization of its owner, such as when it is necessary for the execution of a contract in which the affected party is a party or for the application, at the request of the latter, of pre-contractual measures, or when it is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that said interests do not prevail over the interests or fundamental rights and freedoms of the affected party that require the protection of such data or when it is necessary for the fulfillment of a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/15 legal obligation applicable to the data controller, to protect vital interests. of the affected person or another natural person or for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller. And in the particular case, when it refers to the processing of personal data in the area of credit information systems, article 20.1.e) of the LOPDGDD, presumes a lawful processing of the personal data of an individual, when they are consulted in the database of the solvency file by someone who maintained a contractual relationship with the affected party that implies the payment of a pecuniary amount or the latter had requested the conclusion of a contract that involves financing, deferred payment or periodic billing. Consequently, the consultation of the personal data of the claimant in the solvency file without there being a valid contractual relationship or any other legitimate cause that justifies such access could constitute an infringement attributable to the entity claimed, for violation of article 6.1 of the RGPD. in relation to article 20.1.e) of the LOPLDGDD. VII. Classification and qualification of the infringement If confirmed, the aforementioned infringement of article 6.1 of the GDPR could entail the commission of the infringements classified in article 83.5.a) of the GDPR, which considers that the infringement of “the basic principles for processing, including the conditions for consent pursuant to articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned article 83 of the aforementioned Regulation, “with administrative fines of up to €20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, choosing the highest amount”. The LOPDGDD in its article 71, indicates that: “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements”. And article 72.1.b, considers for the purposes of prescription, that they are “very serious”: 1. According to what is established in article 83.5 of Regulation (EU) 2016/679, infringements that imply a substantial violation of the articles mentioned therein and, in particular, the following are considered very serious and will prescribe after three years: (…) b) The processing of personal data without any of the conditions of legality of the processing established in article 6 of Regulation (EU) 2016/679. (…). VIII Proposed sanction For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the moment of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/15 the agreement to initiate sanctioning proceedings, and without prejudice to the outcome of the instruction, it is considered that the sanction to be imposed should be graduated in accordance with the following criteria established in article 83.2 of the GDPR, which states: “2. Administrative fines shall be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in article 58, section 2, letters a) to h) and j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of: (a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them; (b) the intent or negligence of the infringement; (c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures they have implemented pursuant to Articles 25 and 32; (e) any previous infringements committed by the controller or processor; (f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate any adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct pursuant to Article 40 or to certification arrangements approved pursuant to Article 42; (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” In accordance with these provisions, for the purposes of setting the amount of the penalty to be imposed in the present case for the infringement classified in article 83.5.a) and article 6.1 of the GDPR, for which the respondent is held responsible, in an initial assessment, the following factors are considered to be concurrent: - The duration of the infringement, since it is found that the respondent accessed the personal data of the complainant contained in the Badexcug-Experian solvency files on at least 47 occasions after the termination of the contractual relationship on 23/02/22, taking place over 9 months, between March 2022 and January 2023. (art. 83.2.a of the GDPR). - The close connection between the offender's activity and the processing of personal data.- The level of implementation of the entity and the activity it carries out, in which personal data of millions of interested parties are involved, are considered. This circumstance determines a greater C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/15 degree of demand and professionalism and, consequently, the responsibility of the entity claimed in relation to the processing of the data, (article 76.2.b of the LOPDGDD in relation to article 83.2.k). - The intention or negligence in the infringement, since the defendant accessed the personal data of the claimant on up to 47 occasions without the corresponding legitimacy, without the degree of diligence that the data controller is obliged to display in compliance with the obligations imposed by the data protection regulations, being able to cite the SAN of 17/10/2007. Although it was issued before the validity of the RGPD, its pronouncement is extrapolable to the case that we analyze. The sentence, after referring to the fact that the entities in which the development of their activity entails a continuous processing of data of clients and third parties must observe an adequate level of diligence, specified that "(...). the Supreme Court has understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, the professionalism or lack of the subject must be especially considered, and there is no doubt that, in the case now examined, when the activity of the appellant is of constant and abundant handling of personal data, it is necessary to insist on the rigor and the exquisite care to comply with the legal provisions in this regard” (art. 83.2.b RGPD). - Any previous infringement committed by the person responsible or in charge of the processing of the data, taking into consideration the resolution dated 01/30/23 issued by the Board of Directors of the Data Protection Agency, in the sanctioning procedure PS/00241/2022, (art. 83.2.e.- RGPD). The balance of the circumstances contemplated in arts. 83.2 of the RGPD and 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of art. 6.1 of the GDPR, allows for an initial fine of 300,000 euros (three hundred thousand euros). IX. Adoption of measures. The corrective powers that the GDPR attributes to the AEPD as a supervisory authority are listed in its article 58.2, sections a) to j). If the infringement is confirmed, the controller may be required to adopt appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each control authority may “order the controller or processor to comply the processing operations with the provisions of this Regulation, where appropriate, in a certain manner and within a specified term…”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/15 The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided for in art. 83.2 of the GDPR. The text of this agreement establishes the facts that have led to the violation of data protection regulations, from which it is clearly inferred what measures to be adopted are, without prejudice to the fact that the types of procedures, mechanisms or specific instruments to implement them correspond to the sanctioned party, since it is the one who fully knows its organization and must decide, based on proactive responsibility and risk approach, how to comply with the RGPD and the LOPDGDD. However, in the present case it is indicated that the measure to be adopted would be that, within a period of 6 months, those measures are taken to guarantee that the processing of personal data has the necessary legitimacy, fulfilling the requirements of article 6.1 RGPD. Please note that failure to comply with the order imposed by this body may be considered an administrative infringement in accordance with the provisions of the GDPR, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency, IT IS AGREED: FIRST: TO INITIATE SANCTIONING PROCEDURE against the entity IBERCAJA BANCO, S.A. with CIF.: A99319030, for the alleged infringement of Article 6.1 of the RGPD, classified in Article 83.5.a) of the RGPD. SECOND: TO APPOINT Mr. B.B.B. as Instructor, and Mr. C.C.C. as Secretary, indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). THIRD: TO INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its documentation, the documents obtained and generated by the General Subdirectorate of Data Inspection during the investigation phase, all of them part of this administrative file. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, the penalty that may apply would be 300,000 euros (three hundred thousand euros), without prejudice to the results of the instruction of this file. FIFTH: NOTIFY the present agreement to initiate sanctioning proceedings to the entity IBERCAJA BANCO, S.A., granting it a hearing period of ten business days to formulate the allegations and present the evidence it deems appropriate. In its written allegations it must provide its NIF and the file number that appears in the heading of this document. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/15 If you do not make objections to this initiation agreement within the stipulated period, it may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, if the sanction to be imposed is a fine, you may acknowledge your liability within the period granted for the formulation of objections to this initiation agreement; which will entail a 20% reduction of the sanction to be imposed in this procedure, equivalent in this case to 60,000 euros. With the application of this reduction, the penalty would be set at 240,000 euros, and the procedure would be resolved with the imposition of this penalty. Likewise, at any time prior to the resolution of this procedure, the proposed penalty may be voluntarily paid, which will mean a reduction of 20% of the amount of the penalty, equivalent in this case to 60,000 euros. With the application of this reduction, the penalty would be set at 240,000 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with that to be applied for the recognition of responsibility, provided that this recognition of responsibility is made clear within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the amount of the penalty would be set at 180,000 euros (one hundred and eighty thousand euros). In any case, the effectiveness of either of the two reductions mentioned will be subject to the withdrawal or waiver of any action or appeal through administrative channels against the penalty. If the decision is made to proceed with the voluntary payment of either of the amounts indicated above (240,000 euros or 180,000 euros), this must be made by depositing it in account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which it is subject. Likewise, proof of payment must be sent to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount paid. The procedure will have a maximum duration of twelve months from the date of the start agreement or, where appropriate, the draft start agreement. After this period, it will expire and, consequently, the proceedings will be filed; in accordance with the provisions of article 64 of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/15 Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. Mar España Martí Director of the Spanish Data Protection Agency. >> SECOND: On October 16, 2024, the respondent party has proceeded to pay the penalty in the amount of 180,000 euros using the two reductions provided for in the Commencement Agreement transcribed above, which implies the recognition of liability. THIRD: The payment made, within the period granted to formulate allegations at the opening of the procedure, entails the waiver of any action or appeal through administrative course against the penalty and the recognition of liability in relation to the facts referred to in the Commencement Agreement and its legal qualification. FOURTH: The aforementioned initiation agreement indicated that, if the infringement is confirmed, it may be agreed to impose on the person responsible the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may “order the person responsible or in charge of the treatment that the treatment operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…”. Having recognized the responsibility for the infringement, the imposition of the measures included in the initiation agreement is appropriate. LEGAL BASIS I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/15 II Termination of the procedure Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination in sanctioning procedures" provides the following: "1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is of a purely monetary nature or it is possible to impose a monetary sanction and another of a non-monetary nature but the inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for the damages and losses caused by the commission of the infringement. 3. In both cases, when the sanction is of a purely monetary nature, the competent body to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, which may be accumulated among themselves. The aforementioned reductions must be determined in the notification of initiation of the procedure and their effectiveness will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this section may be increased by regulation.” In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202315853, in accordance with the provisions of article 85 of the LPACAP. SECOND: ORDER IBERCAJA BANCO, S.A. so that within 6 months from the date this resolution becomes final and enforceable, it notifies the Agency of the adoption of the measures described in the legal grounds of the Initiation Agreement transcribed in this resolution. THIRD: NOTIFY this resolution to IBERCAJA BANCO, S.A.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative process as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Disputes Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/15 Administrative Disputes Jurisdiction, within two months from the day following notification of this act, as provided for in article 46.1 of the referred Law. 1259-151024 Mar España Martí Director of the Spanish Agency Data Protection C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es