AEPD (Spain) - PS/00421/2020: Difference between revisions
No edit summary |
No edit summary |
||
Line 48: | Line 48: | ||
|}} | |}} | ||
The Spanish DPA (AEPD) fined a financial institution €5000 | The Spanish DPA (AEPD) fined a financial institution €5000 for breaching the Spanish Act implementing the e-Privacy Directive by sending direct commercial communications without consent. | ||
==English Summary== | ==English Summary== |
Revision as of 10:11, 14 April 2021
AEPD - PS/00421/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | e-Privacy Directive Article 21(1) LSSI |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 07.04.2021 |
Fine: | 5000 EUR |
Parties: | BANCO DE SABADELL, S.A. |
National Case Number/Name: | PS/00421/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | Óscar Jacobo |
The Spanish DPA (AEPD) fined a financial institution €5000 for breaching the Spanish Act implementing the e-Privacy Directive by sending direct commercial communications without consent.
English Summary
Facts
The client of a financial institution lodged a complaint before the Spanish DPA (AEPD) due to the delivery of a mail for commercial purposes, even though he had expressly rejected the delivery of commercial communications and promotional offers.
Dispute
Are the electronic communication sent by a financial entity to its clients to be considered as necessary for contract fulfilment or do they have commercial purposes (and thus would breach the principle of Article 21(1) of the Spanish Information Society Services Act (LSSI) regarding the delivery of electronic commercial communications to data subjects without prior authorization)?
Holding
The DPA rejected the argument of transaction-based customer communication and held that the mail had marketing purposes because the Controller publicizes its services, although the data subject had expressly indicated his refusal to receive advertising content.
As a result, the DPA considered that the financial entity violated Article 21(1) LSSI.
Furthermore, the commercial communication did not inform the recipient about his right to object to the processing of its data for marketing purposes.
As a consequence, the Spanish DPA imposed a fine of €5000.
Comment
It may seem that the Spanish DPA did not in-depth analyze the arguments expressed by the financial entity regarding whether the content included in the communication could be considered as necessary for contract fulfilment, particularly in the case of communications focus on reporting the maintenance of essential banking services during the lockdown.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 Procedure Nº: PS / 00421/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) dated June 25, 2020 filed a claim with the Spanish Data Protection Agency. The claim is directed against BANCO DE SABADELL, S.A. with NIF A08000143 (in ahead, the claimed one). The reasons on which the claim is based are that said financial entity with which the claimant has contracted several financial products, on 06/17/20 he sent a commercial email, despite the fact that in your online account you have marked clearly you do not agree to receive advertising. Together with the claim, it provides a screenshot where it is seen marked in the COMMERCIAL INFORMATION AND PROMOTIONS section: "I do NOT want to enjoy offers that are 100% adapted to my profile." SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), with reference number E / 06046/2020, a transfer of said claim to the defendant, on July 17, 2020, to proceed with its analysis and inform this Agency within a month, of the actions taken carried out to adapt to the requirements provided in the data protection regulations, To date there is no reply in this regard. THIRD: On November 30, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged violation of article 21 of the LSSI, typified in article 38.4.d) of the LSSI, which may be sanctioned with a fine of up to € 5,000, in accordance with article 39.1 c) of the LSSI. FOURTH: Once the aforementioned Initiation Agreement was notified, the defendant presented allegations in which indicated that on August 10, 2020, it responded to the request received on August 17, 2020. July, stating that the communication sent to the claimant was not commercial but operational. Likewise, the claimed entity states that given the situation and the social scenario and sanitary in which we found ourselves during the State of Alarm, novel and exceptional, sent operational and contractual communications to its clients in the reporting on new channels and new operational and communication options C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/7 due to the need to accompany our clients in the contractual execution maintained with the Bank. In no way attending to the emails sent does it appear that there was a campaign or commercial communication for the purpose of offering, promoting or selling products or services, but information on operational solutions to your efforts banks that it had, motivated by the State of Alarm situation and the closure or limitation of face-to-face operations at branches motivated by the pandemic, as well as by the limitation of movements itself. Consequently and in accordance with the foregoing and the content of the communications sent, the respondent considers that the article has not been infringed 21 of the LSSI, as no advertising communications or promotional. Likewise, it considers that article 38.4 of the same text has not been infringed either. legal, section d) that typifies the alleged infringement, as it is not a commercial communication as required by the precept. For this reason, it considers that no responsibility can be attributed to it since the only purpose of the emails sent are to accompany our clients in an exceptional situation, during the Alarm State that did not end until June 21, 2020, without prejudice to subsequent restrictive regulations of the mobility, informing them about new channels and operational options and communication related to the maintenance of the contractual relationship, but in no case for the offer or sale of products or services. FIFTH: On February 2, 2021, the instructor of the procedure agreed to the opening of a period of practical tests, taking as incorporated the preliminary investigation actions, E / 06046/2020. SIXTH: On February 7, 2021, a resolution proposal was formulated, proposing that the Director of the Spanish Data Protection Agency dictate sanctioning resolution against BANCO DE SABADELL, S.A. with NIF A08000143, with a fine of € 5,000 (five thousand euros) for the violation of article 21 of the LSSI, typified in article 38.4.d) of the LSSI. SEVENTH: On February 19, 2021, allegations were presented against the motion for a resolution stating the following: “The Agency comes to state that it is a fact that the right of the claim was violated. keep not receiving emails. That right has not been violated, what the claimant requested or stated is her need to enjoy offers: “I DO NOT want to enjoy offers that are 100% adapted to my profile ”, but he has not expressed his refusal to receive emails from the Ban- co for operational matters, as the email has been provided by the own claimant to the entity as a means of communication with the Bank with the purpose of the development and execution of the contractual relationship. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 The complainant also states that “in section 11 A of the conditions to the contracts signed by the plaintiff, the following mention is included regarding the use of email as a means of operational communication with the Bank: A.11. Communications. The Holders expressly empower the Bank so that all communication, information or notification, including details of movements, settlement of interests and those related to the change or modification of conditions or rates, which direct the Bank individually, can be facilitated or made available of the Holders, at the address of the account, or through any other channel face-to-face or through remote channels established by the Bank from time to time, without the need to send them the physical documentation, except for those documents that the Bank determines from time to time, warning of said Publication to the Headlines. For this purpose, the remote banking service is considered to be remote channels. in case they have contracted it (currently called "BS Online"), the Internet pages of the Bank, and any of the email addresses, mobile phone or similar means that the Holders have communicated to the Bank in each moment." The parties expressly agree that communications and information received by the Holders through remote channels will be equivalent to the referral physical documentation referred to in the previous paragraph. Holders have the right to request that the information be sent to them in paper format. " EIGHTH: Of the actions carried out in the present procedure, the accredited the following FACTS FIRST: The receipt of advertising emails by the financial entity with which the claimant has contracted several products financial statements, despite the fact that in your online account you have clearly marked that you do not accept receive publicity, as seen in the COMMERCIAL INFORMATION section AND PROMOTIONS: "I do NOT want to enjoy offers that are 100% adapted to my profile." SECOND: The claimed entity states that the communication sent to the claimant is not commercial but operational as a result of its contractual relationship. THIRD: The claimed, after receiving the proposed resolution of this sanctioning procedure, reiterates that the email sent to the claimant it was for operational reasons, acting in accordance with the contract that this entity has signed with the claimant, since the email address to the that the email was sent has been provided by the claimant to the financial institution, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 as a means of communication with the Bank as a result of the relationship existing contractual. FOURTH: It is verified that the claimant has marked the box in her online account relative to "I DO NOT want to enjoy offers that are 100% adapted to my profile" and that therefore does not accept to receive publicity. Despite this, the claimant, on June 17, 2020, received a commercial email of the claimed entity, indicating: "Wherever you are, your bank is" and reminding you that you can make transfers, pay taxes or consult non-face-to-face movements (through remote banking that you already have hired); informing you of the Bank's customer service phone number to the procedures that you need related to your contracts already formalized; Y reminding you that you should not provide access codes, as well as that the Bank in no case will request them by email. FIFTH: It is verified that the financial institution does not provide a link to the complainant through which you can request to stop receiving advertising. FOUNDATIONS OF LAW I In accordance with the provisions of article 43.1, second paragraph, of the Law 34/2002, of July 11, on Services of the Information Society and Commerce Electronic (hereinafter referred to as LSSI) is competent to initiate and resolve this Sanctioning Procedure the Director of the Spanish Agency for the Protection of Data. II The facts presented, consisting of the sending of a commercial communication, are constituting an infringement, by the defendant to the provisions of article 21 of the current Law 34/2002, of July 11, on Services of the Society of the Information and Electronic Commerce (hereinafter LSSI), which provides the following: "1. The sending of advertising or promotional communications by email or other equivalent electronic means of communication that had not previously been requested or expressly authorized by the recipients of the same. 2. The provisions of the preceding section shall not apply when there is a prior contractual relationship, provided that the provider had obtained lawfully the recipient's contact details and will use them to send communications commercial related to products or services of your own company that are similar to those that were initially contracted with the client. In any case, the provider must offer the recipient the possibility of opposing the processing of your data for promotional purposes using a simple procedure and free, both at the time of data collection and at each of the commercial communications that you direct. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 When the communications have been sent by email, said means must necessarily consist of the inclusion of an email address email or other valid email address where this right can be exercised, it is forbidden to send communications that do not include said address. " The aforementioned offense is classified as minor in article 38.4.d) of the LSSI, which qualifies as such "Sending commercial communications by email or another equivalent electronic means of communication when such shipments do not comply with the requirements established in article 21 and does not constitute a serious offense ”. III In the present case, the violation of article 21 of the LSSI that is attributed to the claimed must be classified as a minor offense, considering the number of commercial messages sent to the claimant. The respondent states that the communications have not been of a commercial nature but to accompany their clients in an exceptional situation, during the Alarm Status, informing them about new channels and operational options and communication related to the maintenance of the contractual relationship, but in no case for the offer or sale of products or services. However, despite the goodwill of the claimed entity, it is a fact that violated the right of the claimant not to receive emails, a will that had expressly stated. It is considered that the mail received by the claimant on June 17, 2020, by the claimed entity, stating: "Wherever you are, your bank is" informing you and offering your services, specifically, that you can perform transfers, pay taxes or consult movements in a remote way (to through the remote banking that you have already contracted); and you are informed of the number of Bank customer service telephone number for the steps you need, you can be considered a commercial content email where the entity is offering its services to a customer who has indicated that they do not wish to receive advertising from you through of emails despite the existing contractual relationship between them. In addition, said financial institution does not provide the complainant with a link through which, This can exercise its rights, among others, to stop receiving advertising, such and as required in article 21.2 of the LSSI. IV In accordance with the provisions of article 39.1.c) of the LSSI, minor offenses may be sanctioned with a fine of up to € 30,000, establishing the criteria for its graduation in article 40 of the same norm, whose literal tenor is the following: "Article 40. Grading of the amount of sanctions. The amount of the fines that are imposed will be graduated according to the following C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/7 criteria: a) The existence of intentionality. b) Period of time during which the offense has been committed. c) The recidivism by commission of infractions of the same nature, when thus has been declared by final resolution. d) The nature and amount of the damages caused. e) The benefits obtained by the infringement. f) Billing volume affected by the infringement committed. g) Adherence to a code of conduct or an advertising self-regulation system applicable with respect to the offense committed, which complies with the provisions of article 18 or in the eighth final provision and that has been favorably informed by the competent body or bodies. " In relation to the criteria for graduation of sanctions contained in the transcript Article 40 of the LSSI, it is considered that in this case the criterion a) of the aforementioned article, inasmuch as there has been a lack of diligence by the complainant when using the complainant's email address to send you a commercial communication after confirming that it would be managed your request for the deletion of personal data, whenever a special knowledge of the requirements contained in article 21 of the LSSI to be an entity accustomed to sending this type of message in the development of its activity. Accordingly, it is considered appropriate, in accordance with the seriousness of the facts analyzed impose on the entity BANCO DE SABADELL, S.A., with NIF A08000143, a fine of 5,000 euros. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE BANCO DE SABADELL, S.A., with NIF A08000143, for a violation of article 21 of the LSSI, typified in article 38.4.d) of the LSSI, a fine of 5,000 euros (five thousand euros). SECOND: NOTIFY this resolution to BANCO DE SABADELL, S.A .. THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/7 by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Received the notification and once executive, if the date of execution is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es