CNIL (France) - SAN-2020-009: Difference between revisions
From GDPRhub
No edit summary |
m (Mh moved page CNIL - SAN-2020-009 to CNIL - SAN-2020-00111) |
Revision as of 10:10, 10 December 2020
CNIL - SAN-2020-0111 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 9(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 06.11.2020 |
Published: | |
Fine: | 800000 EUR |
Parties: | n/a |
National Case Number/Name: | SAN-2020-0111 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Jackline |
hello
English Summary
Facts
helo
Dispute
hi
Holding
bye
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 Procedure No.: PS / 00207/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: Mrs. A.A.A. (hereinafter, the claimant) dated April 9, 2019 filed a claim with the Spanish Agency for Data Protection. The The claim is directed against Servicios Prescriptor y Medios de Pago, E.F.C., S.A.U. with NIF A86373701 (hereinafter, the claimed one). The claimant states that the claimant requires the payment of a treatment of which he had only requested a budget without formalizing any contract of financing. He adds that his data was informed to the file of patrimonial solvency and credit BADEXCUG. It states that the events took place on *** DATE.1. And, among other things, it provides the following documentation: Letters sent by TEAM4 dated October 18, November 5 and 12 December 2018. Letter sent by EXPERIAN BUREAU DE CRÉDITO S.A. dated 15 of January 2019 informing the claimant of the inclusion of their data in the file BADEXCUG. Letter sent by ASNEF-EQUIFAX dated January 15, 2019 informing the claimant of the inclusion of their data in the ASNEF file. Complaint filed with the Municipal Consumer Information Office of Madrid on December 12, 2018. SECOND: In view of the facts reported in the claim and the documents provided by the claimant, on May 6, 2019 it was agreed not to admit for processing the claim presented by the claimant, in accordance with the stipulated in article 65.2 of the LOPDGDD, after the analysis carried out on the documents provided and the concurrent circumstances, there were no indications reasons for the existence of an infringement within the Agency's competence Spanish Data Protection. THIRD: The claimant filed on May 20, 2019, an appeal for replacement, providing new documentation, highlighting the contract, unsigned, of a medical treatment that the affected party states that it was never carried out and of which He had only requested a budget, finally opting for another treatment of a smaller budget and for which no financing was necessary. And it provides, among others, the following documents: Stomach reduction operation budget. Request for a loan contract not signed by the claimant. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/7 Newsletter of adherence to the insurance for death, unemployment, disability, etc. not signed. Communication from EVO FINANCE indicating the monthly payment plan. Request to the BANKIA entity for the refund of undue charges from EVO FINANCE and modification of SEPA direct debit order. On July 2, 2019, the Director of the Spanish Agency for the Protection of Data, agrees to estimate the appeal for reconsideration filed by the claimant against the Resolution of this Agency issued on May 6, 2019, having provided new relevant documentation for the purpose of considering that the question raised It could be contrary to current regulations on data protection. FOURTH: Information requested from EQUIFAX IBERICA, S.L. (hereinafter, EQUIFAX) on the data of the claimant informed to the ASNEF file, dated June 3 of 2020 is received in this Agency, response to the request sent by EQUIFAX stating that there are no records of the claimant of any entity in the file ASNEF. Information requested from EXPERIAN BUREAU de CRÉDITO, S.A. about the data of the claimant informed to the BADEXCUG file, dated July 1, 2020, receives in this Agency a response to the request sent by this company indicating that currently there are no data reported to the BADEXCUG file of the claimant, although in its historical file, there was a discharge reported by EVO FINANCE on January 13, 2019, for an unpaid amount of € XXX, which was Deregistration on June 23, 2019 as a result of the automatic update weekly data file sent by the entity. FIFTH: On August 11, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged infringement of Article 6 of the RGPD, typified in Article 83.5 of the RGPD. SIXTH: Notified the initiation agreement, the claimed entity, by means of a written On September 17 of this year, it made, in summary, the following allegations: "The claimed has a loan and credit agreement duly signed through an electronic signature process with the intervention of a trusted third party in which the loan applicant was identified and her consent was obtained contractual, which was provided through the referred electronic signature process. 1. Evo Finance loan and credit agreement in the name of the claimant duly signed electronically through a service provider electronic trusted by means of the consignment of an OTP code “One Time Pasword " 1.1 Trusted electronic service of certified electronic contracting contracted by Prescriber Services with the service provider entity electronic trust Logalty Servicios de Tercero de Confianza, S.L. (hereinafter Logalty) aimed at proving the validity of the contract, the identity of the contractor and the provision of his consent. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 Prescriber Services (formerly “Evo Finance”) has contracted with the entity trusted electronic service provider Logalty a service of Certified Electronic Contracting. Logalty is a provider of trusted electronic services and other services in accordance with the provisions of the RGPD. In accordance with article 30.2 of the Electronic Signature Law, Logalty is included in the list of trusted electronic service providers, both qualified as unqualified, from the Ministry of Economic Affairs and Digital transformation. All communications between Client and Logalty are made through telematic transactions signed electronically under a secure system of communications. Logalty's Certified Electronic Procurement includes as standard the certified copy of the document perfected by the parties, with mechanism of control of the integrity of the content and making a notarial deposit of the summary function of the content of all contracts To this, the following documentary evidence is provided as document No. 4: I. Loan and credit agreement dated 08/02/2018 in the name of the claimant with his DNI signed by electronic signature with stamp of Logalty, unique identifier and time stamp, II. General Conditions sent by email to the claimant and additionally accessible via the address *** URL.1, as specified indicated in the contract; III. Documentation provided by the claimant during the hiring: a) copy of your ID, b) payroll of the claimant corresponding to the month of June 2018 and c) savings account in your favor accrediting the bank account incorporated into the contract in the Order of direct debit SEPA direct debit, IBAN account. IV. Certificate issued by Logalty in accordance with the indicated previously accrediting the contractual perfection This specific agreement, as well as the definition of the perfection process electronic contract is collected in two different places in the contractual documentation that was sent by email to the claimant to your email address For all, one cannot expect to find that the contractual document that is Provides it comes signed in handwritten form in the boxes enabled by the loan applicant. The aforementioned boxes are blank since the act of the signature is constituted by the series of electronic evidences that are accredited with the certificate provided as a non-manipulable document with a unique identifier, digitally signed by Logalty and time-stamped including the evidences electronic data obtained during the contracting process as well as the contract subscribed electronically. In this regard, it is noted that as part of the services provided by Logalty there is the sending of two SMS in case of mobile signature for the perfection / signature of the contract by the recipient. The hiring certificate C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 Electronic includes the contract downloaded by the client after receiving the email sent to your email address whose particular and general conditions were read and later accepted through the OTP code that was forwarded to your mobile phone number. The certificate carries a code of Unique identification matching the electronic timestamp listed on the right margin of the contract. In conclusion, the claimant electronically signed the Loan Agreement and Credit giving your consent to it and the treatment clause of personal data included in it As confirmation of the electronic signature of the loan contract Services Precriptor transferred the requested amount to the establishment designated by the claimant ”. FIFTH: On October 26, 2020, the respondent was notified of the opening of the trial period, taking as incorporated all the previous actions, as well as such as the documents provided by the claimed entity. PROVEN FACTS 1 On April 9, 2019, the claimant states that the claimed requires the payment of a treatment for which you have only requested a budget without formalizing any financing contract. 2 On September 17, 2020, the respondent states that the complainant accepted the particular and general conditions of the Loan and Credit Agreement giving your consent through an electronic signature process whose validity legal is the same as if it were handwritten. Proof of this is the certificate of electronic contracting issued by Logalty. 3 The name appears in the loan and credit contract dated 08/02/2018 of the claimant with their DNI signed by electronic signature with Logalty seal, unique identifier and time stamp, It consists of the remission of the General Conditions sent by mail electronic to the claimant and accessible additionally through the address *** URL.1, as indicated in the contract; Likewise, the documentation provided by the claimant during the hiring process: a) copy of your ID, b) payroll of the claimant corresponding to the month of June 2018 and c) savings passbook in your favor of the bank account incorporated into the contract in the direct debit order direct SEPA, IBAN account. Likewise, the certificate issued by Logalty in accordance with the indicated previously accrediting the contractual perfection. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of the LOPDPGDD, the Director of The Spanish Agency for Data Protection is competent to resolve this process. II Law 39/2015, of Common Administrative Procedure of the Administrations Public (LPACAP) establishes in its article 89.1 that “the end of the procedure, with filing of the proceedings, without the need for the formulation of the resolution proposal, when in the procedure instruction it is I manifest that any of the following circumstances concur: a) The non-existence of the facts that could constitute the offense ”. III The defendant is charged with committing an infraction for violation of Article 6 of the RGPD, "Legality of the treatment", which indicates in its section 1 the cases in which the processing of third party data is considered lawful: "1. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; b) the treatment is necessary for the performance of a contract in which the interested is part or for the application at the request of this of measures pre-contractual; (…) " The offense is typified in Article 83.5 of the RGPD, which considers as such: "5. Violations of the following provisions will be sanctioned, in accordance with paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) The basic principles for the treatment, including the conditions for the consent in accordance with articles 5,6,7 and 9. " Organic Law 3/2018, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/7 considered very serious ”provides: "1. In accordance with the provisions of article 83.5 of the Regulation (E.U.) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in that and, in in particular, the following: (…) b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. " IV In the present case, after a detailed study of the documents in the present proceeding, and the claims of the defendant, We must point out that the loan and credit agreement of date 08/02/2018 the name of the claimant with her DNI signed by signature Logalty stamped electronics, unique identifier and time stamping, It consists of the remission of the General Conditions sent by mail electronic to the claimant and accessible additionally through the address *** URL.1, as indicated in the contract. Likewise, the documentation provided by the claimant during the hiring process: a) copy of your ID, b) payroll of the claimant corresponding to the month of June 2018 and c) savings passbook in your favor of the bank account incorporated into the contract in the direct debit order direct SEPA, IBAN account. Likewise, the certificate issued by Logalty certifying the perfection contractual. Therefore, the file of this sanctioning procedure proceeds. Considering the cited precepts and others of general application, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: ARCHIVE the sanctioning procedure PS / 00207/2020, instructed to Prescriptor and Means of Payment Services, E.F.C., S.A.U. with NIF A86373701, for having accredited person who used reasonable diligence, since the claimant formalized a financing contract. SECOND: NOTIFY this resolution to Prescriber Services and Media Pago, E.F.C., S.A.U. with NIF A86373701 In accordance with the provisions of article 50 of the LOPDPGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDPGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/7 Director of the Spanish Agency for Data Protection within a month to count from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Mar Spain Martí Director of the Spanish Agency for Data Protection 28001 - Madrid 6 sedeagpd.gob.es