AEPD (Spain) - EXP202303754: Difference between revisions
From GDPRhub
mNo edit summary |
m (→Holding) |
||
| Line 77: | Line 77: | ||
=== Holding === | === Holding === | ||
The AEPD found that the controller lacked a legal basis | The AEPD found that the controller lacked a legal basis and imposed a fine of of €180,000 on the controller. | ||
Despite the contractual relationship between the parties, the AEPD found that [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] did not provide a legal basis for the processing because it was not necessary for the execution of the contract. According to the contract, fund transfer operations require prior consent, not subsequent ratification. The AEPD rejected the controller’s argument that the agent was entitled to electronically order the transfer of funds and obtain subsequent ratification from the data subject. Given the agent’s failure to obtain the data subject’s consent prior to the transaction in accordance with the contract, the controller lacked a legal basis for the processing pursuant to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. In addition, since there was no evidence that consent was obtained from the data subject in any case, [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] also did not provide a legal basis. | Despite the contractual relationship between the parties, the AEPD found that [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] did not provide a legal basis for the processing because it was not necessary for the execution of the contract. According to the contract, fund transfer operations require prior consent, not subsequent ratification. The AEPD rejected the controller’s argument that the agent was entitled to electronically order the transfer of funds and obtain subsequent ratification from the data subject. Given the agent’s failure to obtain the data subject’s consent prior to the transaction in accordance with the contract, the controller lacked a legal basis for the processing pursuant to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. In addition, since there was no evidence that consent was obtained from the data subject in any case, [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] also did not provide a legal basis. | ||
Revision as of 16:55, 16 July 2024
| AEPD - EXP202303754 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(b) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 25.06.2024 |
| Fine: | 180,000 EUR |
| Parties: | Mapre Inversión Socidedad de Valores, S.A. |
| National Case Number/Name: | EXP202303754 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | lm |
The AEPD fined an investment company €180,000 because it lacked a legal basis when it transferred a data subject's funds without prior authorisation, as required by the contract, or another form of valid consent. The controller was ultimately fined of €180,000.
English Summary
Facts
A data subject and his spouse were clients of Mapre Inversión Socidedad de Valores, S.A. (the controller), an investment securities company. The data subject entered into an asset management contract with the controller which authorised it do manage his funds and carry out investment operations on his behalf. The contract required express authorisation by both parties prior to all investment operations. Since contracting with the controller, the data subject always opted for an electronic channel authorising transactions with his passwords and electronic signatures.
However, on 2 June 2021, the controller executed various transfer orders of the data subject’s funds, initiating six investment operations, without the data subject’s prior authorisation or consent. The data subject contacted the controller concerning the transfers, which acknowledged the irregularity and stated that there had been malpractice on the part of an agent. The controller offered to compensate economic damage and return the data subject’s account to its prior status. The controller did not respond to the data subject’s questions concerning how the issue occurred (such as whether his signatures were forged).
The data subject subsequently filed a complaint with the Spanish DPA (AEPD). In response to the complaint, the controller stated that it received several orders for investment operations on 2 June 2021 from the data subject. The controller claimed instead of using the electronic channel, the data subject had requested a paper signature system, so an agent used their own employee PIN authorisation system via the controller’s application to record the data subject’s request on paper. The controller argued that in this case, the representative was entitled to electronically order the transfer of funds with their own passwords and electronic signature and subsequently obtain the ratification of the data subject. However, the data subject did not ratify the request. Due to this absence of ratification, the controller sent the data subject a communication offering the possibility of revoking the transactions and being compensated. The data subject did not respond to this communication. The controller did not provide evidence that the data subject had initiated the transactions. In order to mitigate discrepancies that could occur in written signatures, the controller stated that it adopted corrective measures as recommended by its DPO.
On 31 May 2023, the AEPD resolved to archive the claim because it lacked sufficient evidence to find an infringement of the GDPR. The data subject appealed the resolution and clarified that the June investment orders were not authorised by the data subject’s PIN or signature, but rather by the agent’s own account and PIN. The AEPD reopened the investigation pursuant to the appeal.
Holding
The AEPD found that the controller lacked a legal basis and imposed a fine of of €180,000 on the controller.
Despite the contractual relationship between the parties, the AEPD found that Article 6(1)(b) GDPR did not provide a legal basis for the processing because it was not necessary for the execution of the contract. According to the contract, fund transfer operations require prior consent, not subsequent ratification. The AEPD rejected the controller’s argument that the agent was entitled to electronically order the transfer of funds and obtain subsequent ratification from the data subject. Given the agent’s failure to obtain the data subject’s consent prior to the transaction in accordance with the contract, the controller lacked a legal basis for the processing pursuant to Article 6(1)(b) GDPR. In addition, since there was no evidence that consent was obtained from the data subject in any case, Article 6(1)(a) GDPR also did not provide a legal basis.
The AEPD recommended a sanction of €300,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €180,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/23
File No.: EXP202303754
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
VOLUNTEER
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: On May 31, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against MAPFRE
INVERSIÓN SOCIEDAD DE VALORES, S.A (hereinafter, the claimed party),
through the Agreement transcribed:
<<
File No.: EXP202303754
Sanctioning Procedure No.: PS/00236/2024
AGREEMENT TO START SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following
FACTS
FIRST: A.A.A. (hereinafter, the claiming party) dated July 4, 2023
filed a claim with the Spanish Data Protection Agency. The
claim is directed against MAPFRE INVERSIÓN SOCIEDAD DE VALORES, S.A
with NIF A79227021 (hereinafter, the claimed party/MAPRE INVERSIONES). The
The reasons on which the claim is based are the following:
- That he is a client, together with his wife (B.B.B.), of the MAPFRE entity
INVERSIONES, with which a wealth management contract was signed that
enabled the claimed entity to manage the funds that had been
deposited, and carry out investment operations with them, always prior to
express authorization of both, by handwritten or electronic signature.
- States that, however, on June 2, 2021, the claimed party
executed several orders to transfer the deposited capital, acquiring six funds
investment, without their authorization, not knowing the method that was used to
impersonate your signature and consent.
- That it was the claimant who became aware of the 6 investment operations at
casually consult the MAPFRE INVERSIONES APP that is used to
the contracted investment management.
- In view of what happened, the claimant contacted the claimed party and stated
that it recognized its irregular actions, sending the complaining party
receipts of the controversial transfers, and stating in an email
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/23
email of 11-26-21 that there had been "malpractice on the part of the
representative of the claimed party”, offering to "remake the original situation
before executing the controversial operations, compensating for possible damage
economic valuation".
- That the claim remains unanswered regarding the questions raised by the
claimant regarding the means according to which those
instructions, not knowing if their signatures were supplanted, or if there was a use
fraudulent Logalty certificate (mechanism used for electronic signature
of said operations), since up to now it has not provided the
signature and consent documents for said operations.
Along with the claim, provide:
- Document 1. Screenshots of 12 transfer orders among which
find the 6 controversial investment orders.
- Document 2. The receipts of said transfers provided by the defendant.
- Document 3. List of movements in the account portfolio obtained to date
from 15-6-21.
- Document 4. Tax information corresponding to the 2021 financial year of the portfolio that
work in the MAPFRE APP.
- Document 5. Copy of the email messages exchanged between the
complaining and claimed party, in which the former requests explanations and is
responds that they have forwarded the matter to the corresponding department and that
is pending resolution. Specifically, emails from 17 of
June, June 18, June 23, June 25, September 3, and September 6
2021, exchanged between the claimant and the director of Mapfre Gestión
Patrimonial.
- Document 6. Writing presented by the claimant's lawyer before MAPFRE on the 15th
November 2021.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on April 4, 2023, as
It appears in the acknowledgment of receipt that is in the file.
FOURTH: On May 4, 2023, this Agency received a letter from
response from the respondent indicating that:
- The defendant signed with the claimant and Mrs. B.B.B. a framework contract
financial products and services dated January 28, 2018.
- On 2-6-21 the agent who acted as representative of MAPFRE INVERSIONES
(C.C.C., hereinafter, the representative of Mapfre) received several orders of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/23
investment operations formulated by the claimant, and “following the
order execution procedure that was implemented as of 2-6-21
in the entity, the representative of MAPFRE INVERSIÓN chose to use the
paper signature system. In this context, the representative introduced in the
Mapfre Inversión application your professional mobile phone on which you received the
PIN code, which allowed him to sign the orders given by D through LOGALTY.
A.A.A., so that they could be ratified by the client through their handwritten signature
on paper".
- The claimant states that, for unknown reasons, despite having
ordered such operations, the claimant later refused to ratify the
operations that he had ordered by means of his handwritten signature.
- After several attempts at a solution, the defendant sent a communication to the
claimant on 11-26-21 in which he was offered the possibility of revoking the orders
and compensate him for the damages, without the claimant answering in this regard.
- That he has learned that the claimant has proceeded to reimburse
the funds acquired between June 11 and 15, 2021, “so that the
result of the operations was assumed by the claimant, depriving Mapfre of
the possibility of acting in any sense with respect to them.”
- In order to mitigate discrepancies that arise in signing procedures
on paper, the defendant has adopted the corrective measures that have been
recommended by your Personal Data Protection Officer, dated
July 15, 2021.
- That the controversy concerns the existing discrepancies regarding the form and
compliance with the framework contract signed with the appellants, for the resolution of which
There are other ways, and there is no non-compliance in the treatment of the
protection of personal data of the appellants that is the responsibility of this
Agency.
The following documentation is attached:
- Document 1. Framework contract for financial products and services signed between the
claimant and the claimed entity and acceptance document and signatures of 28
January 2018.
- Document 2. Email sent by the defendant to the claimant on December 26
November 2021, where it refers to the “malpractice” of the representative
that executed the 6 investment orders.
- Document 3. Report corrective measures implemented by the defendant.
THIRD: On May 31, 2023, after analyzing the documentation that
appeared in the file, a resolution was issued by the Director of the Spanish Agency
of Data Protection, agreeing to file the claim for not attending the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/23
said moment sufficient probative elements of the occurrence of an infraction
that could undermine the principle of presumption of innocence. The resolution was
notified to the appellant, on June 9, 2023, as proven
on the record.
FIFTH: On July 4, 2023, the claimant and the joint owner of the aforementioned
contract of which the relationship between the defendant and the claimant arises, they file a
optional appeal for replacement through the Electronic Registry of the AEPD, against
the resolution fell in file EXP202303754, in which it shows its
disagreement with the contested resolution and requests that the processing of the
initial claim filed.
On February 16, 2024, the appeal filed was sent to the claimed party.
within the framework of the provisions of article 118.1 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP) for the purposes of formulating the allegations and presenting the
documents and supporting documents that it deems appropriate.
After the request and granting of an extension of the deadline to make allegations against the
appeal filed, the defendant presented a response document dated March 1
from 2024, in which:
- Considers reproduced the allegations contained in his previous writing, insisting
in which the controversy raised must be resolved by other instances or means,
because it is not the material responsibility of this Agency.
- Clarifies that the keys were not used in any case to organize the investments
and Pin of the appellants nor the signature that appears for them on the Logalty certificate, but
that the agent who carried them out used his own account and user passwords.
- Adds that a meeting was held with the appellant on 6/21/21 in which he
refused to sign the ratification or revocation of the investment orders, even though
was offered this alternative, so there is no documentation of
ratification of signature of these operations by the appellants.
- The representation contract signed by Mapfre Inversiones with the
agent who was in charge of executing these investment operations as
Document 1.
In view of the allegations and documentation provided by the appellant and
appealed, on May 10, 2024, a Resolution is issued by the
Director of the Spanish Data Protection Agency, in which the
appeal and the admission of the claim for processing is agreed, since by not
the ratification of the investment operations by the appellants has been proven,
There are indications of a possible lack of legitimacy of the entity claimed to
process the personal data of the claimants when carrying out the 6 operations of
controversial investment.
FOURTH: According to the report collected from the AXESOR tool, the entity
MAPFRE INVERSIÓN SOCIEDAD DE VALORES, S.A of May 27, 2024, is a
large company established in 1989, and with a turnover of
€52,959,024 in 2022.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/23
FOUNDATIONS OF LAW
Yo
Competence and procedure
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Previous issues
The name, surname, NIF and account numbers of the claimant and his wife, who
appear in the 6 capital transfer orders and acquisition of investment funds
which were carried out by the defendant charged to the account contracted by both,
are considered personal data, the processing of which is subject to the regime provided for in the
RGPD, as well as its development provisions, in accordance with the provisions of the
article 4.1, and 4.2 of the GDPR, which provides the following:
“Article 4 Definitions
For the purposes of this Regulation it will be understood as:
1) "personal data": any information about an identified natural person or
identifiable ("the interested party"); Any identifiable natural person will be considered
person whose identity can be determined, directly or indirectly, in
particular by means of an identifier, such as a name, a telephone number,
identification, location data, an online identifier or one or more
elements of physical, physiological, genetic, psychological identity,
economic, cultural or social of said person;
2) "treatment": any operation or set of operations performed on
personal data or sets of personal data, whether by procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction;(…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/23
In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is
that the claimed entity has processed personal data when executing
on behalf of the claimant and his wife 6 fund transfer operations for
capital acquisition obtained from the “LOW DURAT EURO COVER” investment fund
BC AC EUR” (hereinafter, investment funds) dated June 2, 2021, with
charge to the cash account that they contracted with MAPFRE INVERSIONES in the
year 2018.
Fund transfer orders that have been provided as Document 2 of the
claim, and that have been made by the agent/representative (C.C.C.) of the
claimed entity.
The claimed party provides two contracts:
- Framework Contract for financial services and products dated January 28, 2018
signed between MAPFRE INVERSIONE (the entity) and the claimant and his wife
(CLIENTS), which was provided as Document 1 of the response letter to the
transfer (hereinafter, Framework Contract).
- Representation Contract signed between MAPFRE INVERSIONES and the
representative C.C.C. (referred to as Agent, or C.C.C.) dated June 28,
2019 (hereinafter, Representation Contract).
In view of the documentation provided by both parties, there is no doubt that
that the aforementioned transfer or investment orders made by the agent of the
claimed were personal data processing operations, in the sense
provided for in article 4.2 of the RGPD, since they involved access to the accounts
of the claimant and his wife and the use of the personal data that they
they contained.
Thus, as the claiming party proves when providing the transfer receipts
of funds made by the agent of the defendant to acquire these 6 investments,
It can be seen that they appear: two account numbers that are
ownership of the claimant and his wife, who appear with their name, surname and NIF.
The claim is raised in the documents presented dated May 4, 2023 and
March 1, 2024 the existence of a possible lack of material competence of this
Agency to hear the facts prosecuted, which, according to the claimant, relate
on the discrepancies between the parties regarding the execution of the contract
signed that corresponds to resolving other instances or bodies, and not on the
breach of personal data protection regulations.
However, it is worth clarifying that the aforementioned transfer/investment orders - whose
validity and legal effects corresponds to determining other bodies or instances, such as
points out the claimed - necessarily entailed for its realization the execution of
personal data processing operations to which reference has been made, which
are subject to certain requirements provided for in the regulations for the protection of
data by the person responsible for the treatment, the failure of which could lead to
an administrative offense typified therein, whose sanctioning power is
competence of this Agency.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/23
In this sense, the doctrine established by the Court of Appeals is applicable to this case.
Contentious-Administrative of the National Court, is reflected, among others, in the SAN
of October 17, 2007, or in the SAN of July 3, 2007 (rec.232/2005), whose
Second Law Foundation says:
“The appellant begins the defense of his claim alleging incompetence
of the Data Protection Agency since the controversy concerns the
existence or not of a certain contract and this question is of a nature
essentially civil and, consequently, removed from its jurisdiction, according to
art. 37 of the LOPD. Actually the Director of the Protection Agency
of Data has not resolved on the origin or inadmissibility of the debt, but rather
that its resolution focuses on considering certain precepts of
the LOPD, binding as a consequence to said infractions the imposition of
a sanction. It is enough to read the operative part of the contested resolution to
confirm what has just been stated. And without a doubt he is fully competent to
dictate this resolution. Another thing is that to exercise its competence it must
carry out factual or legal assessments whose nature we could classify as
preliminary ruling, and on which it could not adopt a final decision with effective
against third parties. If the principle of quality of the data collected in the LOPD requires
that the data processed by a third party referring to a person are accurate and
truthful, the Administration specifically in charge of enforcing this
regulations, for the sole purpose of considering this principle fulfilled or violated
can make an assessment of the accuracy and veracity of a certain piece of information, in
this case of the certainty of a debt, without this meaning a departure from
their rules of competence. This ground of challenge must be rejected.”
The claimed entity is responsible for the processing of personal data
carried out in the present case, in accordance with the provisions of article 4.7 of the
GDPR, which provides the following:
7) "responsible for the treatment" or "responsible": the natural or legal person,
public authority, service or other body that, alone or together with others, determines
the purposes and means of the processing; whether the law of the Union or of the States
members determines the purposes and means of the processing, the person responsible for the
treatment or the specific criteria for its appointment may be established by
the law of the Union or of the Member States (…)”
In the present case, the defendant states that she hired a representative or
agent who was in charge of carrying out the aforementioned operations on his behalf. Of the
content of the Representation Contract signed with the claimant is deduced without
There is no doubt that the person responsible for the processing of the personal data managed
its agent is MAPFRE INVERSIONES.
Thus, from the “Annex for processing personal data” attached to the
Representation Contract, it follows that it is the entity (MAPFRE INVERSIONES)
It establishes the means and purposes of the processing of personal data managed by the
agent. And in Clause 10.5 thereof, it is indicated that the entity will be responsible for
the actions of the representative without prejudice to his right to initiate actions against
this in case of deviating from what was agreed.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/23
Consequently, if it is confirmed during the investigation that a
improper processing (unlawful in accordance with the provisions of article 6.1 of the GDPR) of
the personal data contained in the account contracted by the claimant and its
wife, MAPFRE INVERSIONES will be the presumed responsible person who will be required to
administrative responsibility for the alleged non-compliance committed,
in accordance with the provisions of article 70. 1 a) of Organic Law 3/2018, of 5
December, protection of personal data and guarantee of digital rights (in
forward, LOPPDD):
“Article 70. Responsible subjects.
1. They are subject to the sanctioning regime established in the Regulation (EU)
2016/679 and in this organic law: a) Those responsible for the
treatments. b) Those in charge of the treatments. c) The representatives of
those responsible or in charge of the treatments not established in the
territory of the European Union. d) Certification entities. e) The
accredited entities overseeing codes of conduct. (…)”.
III.
Offending conduct: lack of basis for legality of the treatment.
The processing of personal data of natural persons by those responsible
must be governed by the principles related to article 5 of the RGPD, among which
which is the Principle of legality and transparency provided for in the first section
of the same, which has:
"1. The personal data will be:
a) treated in a lawful, fair and transparent manner in relation to the interested party
("legality, loyalty and transparency"); […]”
Furthermore, article 5.2 of the GDPR indicates that: “The data controller will be
responsible for compliance with the provisions of section 1 and capable of
prove it.”
In development of this principle, article 6 of the RGPD related to the “Legitimacy of the
treatment” determines in section 1 the cases in which the regulations allow
carry out the processing of personal data of a third party, which is called
“legal basis”. If any of these assumptions or conditions do not occur, the
processing will not be legitimate, or considered lawful by the RGPD:
"1. The treatment will only be legal if it meets at least one of the following
conditions:
a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;
b) the processing is necessary for the performance of a contract in which the
interested party is part or for the application at his request of measures
pre-contractual;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/23
c) the processing is necessary for compliance with a legal obligation
applicable to the data controller;
d) the processing is necessary to protect vital interests of the interested party or of
another natural person.
e) the processing is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers conferred on the person responsible for the
treatment;
f) the processing is necessary for the satisfaction of legitimate interests
pursued by the person responsible for the treatment or by a third party, provided that
The interests or rights and freedoms do not prevail over said interests.
fundamentals of the interested party that require the protection of personal data, in
particularly when the interested party is a child.
The provisions of letter f) of the first paragraph will not apply to the treatment
carried out by public authorities in the exercise of their functions.”
This means that it is a mandatory requirement in terms of data protection that the
claimed entity has one of these bases of legality to be able to carry out the
personal data processing operations that derive from the 6
fund transfer and investment operations referred to in this
proceedings.
In principle, given the existence of a contractual relationship between the claimant and
claimed through the subscription of the Framework Contract to which reference has been made
In the previous legal basis, it is worth analyzing whether such operations of
processing of personal data could have its legal basis in the intended cause
in article 6.1.b) of the RGPD: “b) the processing is necessary for the execution of a
contract to which the interested party is a party or for the application at his request of
pre-contractual measures”.
Regarding whether the treatment in question was necessary for the execution of the Contract
Framework signed by the defendant and claimant, the claimant maintains, in
synthesis, that:
- In accordance with the contract, fund transfer operations (operations
investment) require your prior consent (and not subsequent ratification)
expressed through an electronic or handwritten signature, and that since
contracted in 2018 with the claimed party has always signed electronically
all transfer orders for investment through its APP,
using your passwords and electronic signature.
- That upon consulting the aforementioned APP, he realized that the agent of the defendant had
executed the 6 transfer orders without previously obtaining their signature.
- Denies that, as the entity says, the claimant or his wife requested execution
of these investments prior to the execution of the transfer orders.
- That the defendant proposed to ratify said orders, which he refused.
- That in an email dated November 26, 2021, the defendant
recognized that there had been malpractice on the part of the agent, and offered to ratify the
transfer orders or revoke them at his option, but did not indicate how it was possible
that he had accessed his account without having his passwords, username and
password. Email that has been provided to this procedure.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/23
For its part, the defendant points out, in essence, the following relevant arguments
To determine whether there was a legal basis in the present case:
- Regarding the process of executing the orders: “On 2-6-21 the agent who
acting as a representative of MAPFRE INVERSIONES (C.C.C.) received several
investment operation orders formulated by the claimant”, and “following
the procedure for executing orders that as of 2-6-21 was
implemented in the entity, the representative of MAPFRE INVERSIÓN opted to
use the paper signature system. In this context, the representative introduced
in the Mapfre Inversión application your professional mobile phone on which you received
the PIN code, which allowed him to sign through LOGALTY the orders given by
D. A.A.A., to be ratified by the client through his handwritten signature
on paper."
- That the procedure carried out within the framework of the contractual relationship does not
fully compromised and guaranteed their rights and will, by requiring that the
appellant party will ratify or revoke, by signing, the orders that in his
name and under his instructions would have been executed by the agent.
- To avoid any damage in the event that said operations do not
responded satisfactorily to your instructions or investment strategy
agreed, is allowed, and was thus offered on several occasions, not only its revocation
but also be restored to the balance sheet and products situation previously
constituted. Both in a meeting held on 6-21-21, and in the email
aforementioned email of 11-26-21 was offered such a solution without the
claimant has expressed himself.
- Points out that the agent did not deviate from the procedure for issuing and signing
operations implemented at that time in the entity, and that the system has been
modified later, precisely to avoid this type of situation
controversial.
- Following the events in dispute, on July 15, 2021,
implemented modifications in the procedure for signing orders of
paper operations, such as: establishing the minimum age of the
client so that they can sign on paper instead of via LOGALTY, limit
users who can authorize paper printing, establish a process for
authorization prior to the management of the signature on paper, and limit it to a maximum of 24
hours the possibility of printing once authorized.
Consequently, from the arguments presented it follows that it is not a question
controversial, because it has been recognized by both parties, the one referring to the fact that the
representative hired by MAPFRE INVERSIONES executed on June 2, 2021
a total of 6 fund transfer operations charged to the investment portfolio and
associated account of the claimant and his wife. Nor is it controversial the fact that
that the representative of the claimed entity did not obtain its prior authorization or
communicated this fact to the account holders, and that the defendant offered the
claimant subsequently ratify or revoke these transfer orders, without the
claimant expressly accepts neither of these two options, filing
complaint and asking for explanations about the custody of the personal data that the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/23
claimed was carrying out, by having allowed his representative to order said
operations without having your electronic or handwritten signature.
The main controversial issue of the present procedure focuses on determining
If in accordance with the signed contract, it was necessary to obtain prior authorization from
the account holders to be able to execute the transfer/investment orders that
gave rise to the processing of personal data contained in your account, about which
covers this procedure. Or if, as the claimant states, the agent was
authorized to electronically order the transfer of funds with its own
keys and electronic signature, and subsequently obtain ratification of the signature
handwritten by the account holders, on paper.
Well, from the analysis of the documentation on hand, several pieces of evidence emerge.
that lead to positioning themselves in favor of the version offered by the claimant. The
The most significant evidence is the following:
- Firstly, the defendant does not expressly deny that it is necessary to obtain the
consent of the clients, and despite stating that the agent followed the
procedure established at that time (which allowed the agent to sign the
operations electronically with their own passwords and signature, and, after having
executed the same, obtain the handwritten signature of the clients on paper), incurs
in various contradictions that lead to the opposite conclusion.
Thus, according to their own statements and antecedents
documented in the procedure, it is clear that the defendant apologized to the
complainant for the “malpractice” of the agent in the email sent to the
claimant on November 26, 2021, and maintained various contacts and even
a meeting with the same on June 21, 2021 with the claimant for the purpose of
offer you the option to ratify or revoke such operations. And on the other hand, he points out
which has adopted new measures to rectify the aforementioned procedure of
subsequent ratification on paper, implying an implicit recognition that
This was generating irregularities.
- The Framework Contract establishes the obligation to obtain consent or signature
prior authorization from the client to authorize payment operations or carry out any type of
financial operation charged to them:
Thus, according to the Tenth Stipulation of the GENERAL STIPULATIONS
of the Framework Contract, referring to “10.1.- AUTHORIZATION OF OPERATIONS OF
PAGO states that: “Payment operations will be considered
authorized when the CUSTOMER has given his consent to them,
in accordance with the provisions of these General Stipulations, as well as
as in the respective Particular Stipulations, for each of the
payment operations that the CLIENT and the ENTITY have agreed upon.”
And on the other hand, in the Seventh Stipulation of the STIPULATIONS
PARTICULARS ON CUSTODY AND ADMINISTRATION OF THE CURRENCY PORTFOLIO
INVESTMENT, it was also specified: “So that the ENTITY can use
own account or on behalf of another client the financial instruments that have been
entrusted by the CLIENT or establish agreements for financing operations of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/23
securities on said instruments, the client must give his express authorization, for
written and formalized by means of your signature or equivalent mechanism, by which
authorizes the ENTITY to use its financial instruments in custody with the
intended purpose and expressly accepted in the particular conditions that are
establish, which will include: obligations and responsibility of the ENTITY
(including the remuneration in favor of the CLIENT for lending his securities), the
conditions of restitution and the inherent risks. The use of these instruments
“It will be restricted to the conditions previously accepted by the CLIENT.”
- The defendant indicates that it was the claimant who initiated the service, formulating the
investment orders that were executed by the agent, which negates the
claimant, who claims to have been aware of them when they were already
executed, by viewing them in the “MAPFRE Financial Portal” APP.
Regarding this controversial issue, it should be noted that the defendant has not
provided documentation proving that the investment order came from the
claimant, activating the so-called “service of reception, transmission and
execution of investment orders” which is provided for in the framework contract. Without
This prior request is reflected in the receipts for the transfer of funds, captures
screen of the investment orders placed, and/or lists of movements that
were provided by the claimant.
- The procedure followed by the agent to order the transfer was not chosen by
the client, as indicated in the Framework Contract:
In accordance with the Seventh Stipulation of the General Stipulations of the
Framework Contract, the provision of consent or prior authorization of the client
It could be obtained through two possible channels, which will always be your choice.
from the client: face-to-face channel (handwritten signature in the office), or through the internet
(with passwords, username and electronic signature in the APP “Mapfre financial portal”):
“(…) The CUSTOMER registration process in the ENTITY and the signing of this
FRAMEWORK CONTRACT will necessarily be carried out through the in-person channel,
that is, at the MAPFRE office of your representative. This FRAMEWORK CONTRACT
It cannot be signed until the CLIENT has not presented all the documentation
required by the ENTITY.
Notwithstanding the above, once the FRAMEWORK CONTRACT is signed, the subsequent management
of any operation related to the contracted products and/or services, as well as the
contracting of new financial products or services may be carried out, at the discretion
from the CUSTOMER, either through the in-person channel (MAPFRE Office of the representative)
or, through the INTERNET, in accordance with the provisions of the following
“Stipulation regarding access and use of remote channels”
Access and use of remote channels could be done only by
the client, through their own password, username and electronic signature, which were
personal to each user and non-transferable. This aspect is noted in the
Eighth Stipulation of the General Stipulations of the Framework Contract, which
regulates the “8. ACCESS AND USE OF REMOTE CHANNELS”, pointing out
that:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/23
“Likewise, the ENTITY will initially automatically assign to each
CLIENT a Password and an Electronic Signature, which must be
modified by the CLIENT immediately after the first access,
adhering to the alphanumeric criteria defined by the ENTITY in each
moment. Notwithstanding the foregoing, the ENTITY reserves the right to
whether or not to accept an interested party as a USER. (…) This elements
(User Identifier, Password and Electronic Signature), hereinafter the
“keys” will be personal to each USER and non-transferable, allowing
access to operations in all those products and services in which
said USER appears as Owner (sole or jointly owned with third parties)
persons) or as Authorized on behalf of the Holders. (…) From this one
moment, and once the keys have been validated by the ENTITY's systems,
will understand that the orders transmitted to the ENTITY are instructions in
firm, with the express consent of the CUSTOMER and, therefore, with full
legal effectiveness. The Parties grant to orders transmitted via
telematics, through the use of keys, identical value to consent
rendered in writing with a handwritten signature.
In conclusion, it follows from these clauses that the choice between both
channels to order investments was up to the client, and not to the agent, who
opted for the in-person procedure, ordering with his passwords and signing the
investments, without it having been proven that it was the client (claimant and his
wife) who had requested that the investment be made in this way. In
In this case, in addition, the claimant states that since 2018 he had chosen
always through the electronic channel, and authorized with your passwords and electronic signature
each investment operation. So in this case, with more reason, the
agent consult the customer and obtain his prior consent to switch to the channel
in person.
This, together with the fact that the entity also had the obligation to require their consent
prior to being able to order a payment referred to in general stipulation 10.1,
implies without a doubt that the agent omitted the requirement to consult and obtain the
prior consent of the client, both to opt for the face-to-face channel, as well as
to order payment and investment operations.
Practice that, in addition to involving illicit processing of the personal data of the
claimant and his wife, would violate the provisions of the “Annex on limitation of
activity and representation services” of the Representation Contract, which indicates
expressly that the representative: “Will not assume in any case any faculty or power
of any management on the financial instruments owned by the client,
limiting its activity to the reception and transmission of orders on behalf of
clients in relation to one or more financial instruments of the Mapfre group or of
third parties".
In conclusion, from the above it can be deduced that according to the contract signed by the parties
it was necessary for the claimant and his wife to previously authorize the use of the
face-to-face or electronic channel, and fund transfer operations to acquire
investments that were made by the agent of the claimed entity. And it appears in the
file that the agent acted in accordance with “malpractice”, ordering 6
payment and investment operations without previously obtaining authorizations
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/23
necessary, which involved the use of the personal data of the owners of the
account for which he lacked legitimacy.
Therefore, it is understood the personal data processing operations carried out
by the agent of the transfer claim lacked a basis for the legality of the article
6.1.b) of the RGPD, as the processing is not necessary for the execution of the contract
frame.
The same arguments used would serve to rule out the concurrence of a
basis of legality of article 6.1.a) of the RGPD, given the lack of consent of the
claimant, and his wife, recognized by both parties. And there is no evidence that the claimed
has proven the concurrence of any other basis of legality of those provided for in the
mentioned article 6.1 of the RGPD.
Consequently, if the evidence provided by the parties to this case is confirmed
procedure during the investigation phase, this would imply that the claimed entity
processed the personal data contained in the claimant's account
and his wife when ordering the transfers of funds referred to herein
procedure, without being protected by any legal basis that would justify the legality
of the processing, which could entail a violation of article 6.1. of the GDPR.
IV. Classification and classification of the infraction.
The conduct of the defendant could constitute a violation of article 6.1
of the GDPR. Infraction typified in article 83.5. of the GDPR which establishes:
"5. Violations of the following provisions will be sanctioned, according to
with section 2, with administrative fines of a maximum of 20,000,000 Eur or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global annual total business volume of the previous financial year, opting
for the largest amount:
a) The basic principles for treatment, including the conditions for treatment
consent in accordance with articles 5,6,7 and 9.”
For the purposes of determining the statute of limitations for the violation, the LOPDGDD qualifies
in its article 72 this violation of the RGPD is a very serious infringement. The precept
has:
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679
are considered very serious and the infractions that occur will expire after three years.
involve a substantial violation of the articles mentioned therein and, in
in particular, the following:
[...]
b) The processing of personal data without any of the conditions concurring
of legality of the treatment established in article 6 of the Regulation (EU)
2016/679.”
V
Sanction: Administrative fine
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/23
Article 58.2 of the RGPD relates the corrective powers attributed to the AEPD as
supervisory authority, including the power to impose a fine
administrative (section i).
Without prejudice to what results from the instruction of the procedure, in this phase
initiation agreement, the imposition on the claimed party of a
sanction of administrative fine for the alleged violation of article 6.1 of the RGPD
whose responsibility is attributed to him.
Article 83 of the GDPR, “General conditions for the imposition of fines
"administrative measures", says in section 1 that the control authority will guarantee that the
imposition of fines for violations of this Regulation indicated in the
sections 4,5 and 6, comply in each individual case with the principles of effectiveness,
proportionality and dissuasive nature.
The principle of proportionality implies a correlation or adequacy between the
infraction committed and the sanction imposed, with prohibition of unnecessary or
excessive, so that the sanction is suitable to achieve the purposes that justify it.
Article 83.2. of the RGPD, through a list of criteria or factors for its
graduation, establishes the technique to achieve adequacy between the infraction and the
sanction. The precept provides:
“Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account.
account:
a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person responsible or in charge of the treatment,
taking into account the technical or organizational measures that have been applied in
under articles 25 and 32;
e) any previous infraction committed by the person responsible or in charge of the
treatment;
f) the degree of cooperation with the supervisory authority in order to remedy
the infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person responsible or the person in charge notified the infringement and, in that case, in
what measure;
i) when the measures indicated in Article 58(2) have been
previously ordered against the person responsible or the person in charge in question
related to the same matter, compliance with said measures;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/23
j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct or
indirectly, through infringement.”
Section k) of article 83.2 of the RGPD connects with article 76 of the LOPDGDD,
“Sanctions and corrective measures”, which states:
"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
a) The continuous nature of the infringement.
b) The linking of the offender's activity with the performance of medical treatment.
personal information.
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected person could have induced the
commission of the infraction.
e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Have, when not mandatory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis,
to alternative conflict resolution mechanisms, in those cases in which
that there are disputes between them and any interested party.”
In accordance with the transcribed precepts and the information contained in the file
administrative, are taken into consideration to set the amount of the fine with which
It would be appropriate to sanction the person complained of for the violation of article 6.1 of the RGPD, the
following factors that show greater illegality or guilt of your
conduct:
- Article 83.2.a) of the RGPD: “the nature, severity and duration of the
infringement".
The conduct in which the nature of the infraction attributed to the
claimed affects a basic principle in data protection, the
legality of the treatment, punishable as stated, with a fine of up to 20
million euros or 4% of the turnover of the claimed party.
The seriousness of the conduct is based on the fact that the financial institution acted without
legitimation, illicitly processing the personal data of the two owners of the
account (name, surname, NIF and account numbers that appeared in the
themselves).
It is also considered that, in accordance with what is stated in the orders of
transfer of funds provided as Document 2 of the claim, the
claimed carried out 6 processing operations of these personal data without
legal basis, for an amount of 4,215 euros each, so the investment
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/23
unauthorized amounted to a total of 25,290 euros in the account corresponding to the
investment fund from which said amounts were deducted.
Regarding the duration of the violation for which the entity is held responsible
claimed, it is considered that the violation was consummated on the day the
fund transfer operations, on 2-6-21.
- Article 83.2.b) The intentionality or negligence of the infringement:
Although there is no apparent intention to act without legal basis on the part of the
agent who ordered the transfers, if serious negligence is observed in the
actions of this and the claimed entity, which claims to have been applying a
procedure to order operations that is not provided for in the Contract
Framework signed with the claimant, allowing its agents to execute
orders without obtaining prior authorization from customers when choosing the
face-to-face channel by the agent.
Taking into consideration that in the development of its activity
business is dedicated to investment management, which they present with relative
frequency of these fund transfer operations, is part of the diligence
minimum that is required from a financial entity such as MAPFRE INVERSIONES
to ensure that the necessary technical and organizational measures are adopted
prevent agents or employees acting on behalf of the entity
can make these decisions without having a handwritten or electronic signature
prior to clients.
Regarding the degree of diligence that the person responsible for the treatment is
obliged to deploy in compliance with the obligations imposed by the
data protection regulations, the SAN of 10/17/2007 (Rec.
63/2006), extrapolated to the case at hand, which indicates that: “the Court
Supreme Court has come to understand that recklessness exists whenever it is neglected
a legal duty of care, that is, when the offender does not behave with
required diligence. And in assessing the degree of diligence it must be weighed
especially the professionalism or not of the subject, and there is no doubt that, in the
case now examined, when the appellant's activity is constant and
abundant handling of personal data, emphasis must be placed on rigor and
“exquisite care to comply with the legal provisions in this regard.”
- The evident link between the business activity of the defendant and the
processing of personal data (article 83.2.k, of the RGPD in relation to the
article 76.2.b, of the LOPDGDD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/23
Given that in the business activity of the defendant it is essential
processing of numerous personal data of its clients, therefore,
taking into account the very important business volume of the financial institution
claimed when the events occur the significance of the conduct
infringing object of this claim is undeniable.
Thus, without prejudice to what results from the instruction of the procedure, it is
understands that in light of the aforementioned graduation circumstances, it is determined
initially a fine of €300,000 (THREE HUNDRED THOUSAND EUROS) for the
alleged violation of the provisions of article 6.1 of the RGPD.
SAW
Imposition of corrective measures
If the violation is confirmed, the resolution issued may establish the measures
corrective measures that the offending entity must adopt to put an end to the non-compliance
of the personal data protection legislation, in this case article 6.1 of the
RGPD, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”
The imposition of this measure is compatible with the sanction consisting of a fine
administrative, in accordance with the provisions of article 83.2 of the RGPD.
Thus, the responsible entity may be required to adapt its actions to the
personal data protection regulations, with the scope expressed in the
previous Fundamentals of Law.
This act establishes the alleged infraction committed and the facts
that could give rise to this possible violation of the regulations for the protection of
data, from which it is clearly inferred what measures to adopt, without prejudice
that the type of procedures, mechanisms or specific instruments to
implementing them corresponds to the sanctioned party, since it is responsible for the
treatment who fully knows its organization and must decide, based on the
proactive responsibility and risk approach, how to comply with the GDPR and
LOPDGDD.
However, in this case, regardless of the above, in accordance with the
evidence that there is currently an agreement to start
sanctioning procedure, the resolution that is adopted may require
MAPFRE INVERSIONES so that, within a period of 3 months, counting from the date
of enforceability of the resolution finalizing this procedure, impart
instructions to its agents to refrain from using the personal data of
their clients arranging investments that fail to comply with the authorizations agreed in the
framework contracts for financial or wealth management products and services signed
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/23
by them and establish the technical means that are appropriate to
make it impossible to formalize said investment operations by signature
electronically by a person other than the client or person authorized by the client
It is warned that failure to comply with the possible order to adopt measures imposed by
This body in the resolution of this sanctioning procedure may be
considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.
Likewise, it is recalled that neither the recognition of the infraction committed nor, in its
case, the voluntary payment of the proposed amounts exempts from the obligation of
adopt the pertinent measures to stop the conduct or correct the effects of
the infraction committed and to prove to this AEPD compliance with that
obligation.
Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection, IT IS AGREED:
FIRST: START SANCTIONING PROCEDURE against MAPFRE INVERSIÓN
SOCIEDAD DE VALORES, S.A, with NIF A79227021, for the alleged violation of the
article 6.1 of the RGPD, typified in article 83.5 of the same RGPD.
SECOND: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S.,
indicating that they may be challenged, if applicable, in accordance with the provisions of the
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).
THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining and claimed party, together with its
documentation, as well as the documents obtained in the actions prior to the
initiation of this sanctioning procedure and during the appeal phase.
FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be €300,000 (THREE HUNDRED THOUSAND EUROS),
without prejudice to what results from the instruction.
FIFTH: NOTIFY this agreement to MAPFRE INVERSIÓN SOCIEDAD DE
VALORES, S.A, with NIF A79227021, granting a hearing period of ten days
competent to formulate the allegations and present the evidence that it considers
convenient. In your written statement of allegations you must provide your NIF and the number of
file that appears at the head of this document.
If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/23
In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 240,000 euros, resolving the
procedure with the imposition of this sanction.
Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at 240,000 euros and its payment will imply termination
of the procedure, without prejudice to the imposition of the corresponding measures.
The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 180,000 euros.
In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.
In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (240,000 euros or 180,000 euros), you must make it effective
by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of
Data Protection in the banking entity CAIXABANK, S.A., indicating in the
concept the reference number of the procedure appearing in the heading
of this document and the reason for the reduction of the amount to which it applies.
Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.
In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, as far as
Subsequently, the notifications sent to you will be made exclusively
electronically, through the Unique Enabled Electronic Address (dehu.redsara.es), and
that, if you do not access them, your rejection will be recorded in the file, considering
the procedure has been carried out and the procedure is followed. You are informed that you can
identify to this Agency an email address to receive the notice
of making notifications available and that the lack of practice of this notice does not
will prevent the notification from being considered fully valid.
The procedure will have a maximum duration of twelve months from the date
of the initiation agreement or, where applicable, of the draft initiation agreement. After that
period will expire and, consequently, the proceedings will be archived; of
in accordance with the provisions of article 64 of the LOPDGDD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/23
Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.
935-18032024
Sea Spain Martí
Director of the Spanish Data Protection Agency
>>
SECOND: On June 20, 2024, the claimed party has proceeded to pay
the penalty in the amount of 180,000 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.
THIRD: The payment made, within the period granted to formulate allegations to
The opening of the procedure entails the waiver of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.
FOURTH: In the initiation agreement transcribed previously, it was stated that,
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”
Having recognized the responsibility for the infraction, the imposition of
the measures included in the Initiation Agreement.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/23
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Termination of the procedure
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction has only a pecuniary nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.
The reduction percentage provided for in this section may be increased
“regularly.”
According to what was indicated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: DECLARE the termination of procedure EXP202303754, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: ORDER MAPFRE INVERSIÓN SOCIEDAD DE VALORES, S.A to
that within 90 days from when this resolution becomes final and enforceable,
notify the Agency of the adoption of the measures described in the
legal foundations of the Initiation Agreement transcribed in this resolution.
THIRD: NOTIFY this resolution to MAPFRE INVERSIÓN SOCIEDAD
DE VALUES, S.A.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/23
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
1259-16012024
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
