AEPD (Spain) - PS/00226/2020: Difference between revisions
No edit summary |
(Just minor changes in wording. Very clear and well summarised, and a very good effort in distilling the main elements within a very long and detailed decision. Good job!) |
||
Line 51: | Line 51: | ||
}} | }} | ||
The Spanish DPA fined a Bank €2, | The Spanish DPA fined a Bank €2,100,000 for a violation of [[Article 6 GDPR|Article 6 GDPR]] in relation to [[Article 7 GDPR#4|Article 7(4) GDPR]] by conditioning the waiver of bank fees with consent to process personal data which were not necessary for the performance of the contract, and requesting this consent using pre-ticked boxes. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Caixabank, a Spanish bank, is the controller in this case. In 2019, some of the bank's customers complained to the Spanish DPA (AEPD) stating that the bank was asking them to accept the consent terms for processing personal data through pre-ticked boxes. If the data subjects did not accept the terms, the bank would charge them a fee of €5 per month | Caixabank, a Spanish bank, is the controller in this case. In 2019, some of the bank's customers complained to the Spanish DPA (AEPD) stating that the bank was asking them to accept the consent terms for processing personal data through pre-ticked boxes. If the data subjects did not accept the terms, the bank would charge them a fee of €5 per month for the bank account's maintenance. | ||
The AEPD opened an investigation and sought details from the bank regarding its privacy policy | The AEPD opened an investigation and sought details from the bank regarding its privacy policy and advertising carried out for certain categories of bank accounts. The AEPD also physically inspected the bank for further investigation. | ||
In their defense the bank stated that the fee is not a charge, just a necessary fare for the providing of banking services to its customers and is, therefore, an essential element of the contract. The bank added that the exemption from the fees was a benefit given to interested parties, and also an essential element of the contract. | |||
According to the bank, [[Article 7 GDPR#4|Article 7(4) GDPR]] is not applicable to this case, since the terms of the contract do not mandate a condition, and consent for the processing of personal is not a must-have for signing the contract with the bank. It argued that a customer not consenting to the processing of personal data gets the same services that are being offered to a customer who has given their consent for the processing, and that customers were free to choose other banking products offered by the bank which were exempt from fees. | |||
=== Holding === | === Holding === | ||
The AEPD | The AEPD established that during a certain period, for new customers who chose a particular type of bank account, the consent acceptance fields were pre-ticked, In the AEPD's view, linking an exemption from fees to the provision of obtaining consent for the processing of personal data would mean that the consent was not given freely, since not giving consent entailed the payment of maintenance fees, which were detrimental to the data subject. | ||
In addition, the AEPD held that these charges cannot be considered an inherent element of the contract, and were at odds with the national law regarding payments for bank services ([https://www.boe.es/buscar/doc.php?id=BOE-A-2017-13644 Real Decreto-ley 19/2017 de cuentas de pago básicas, traslado de cuentas de pago y comparabilidad de comisiones]), which establishes that fees for basic bank accounts need to be freely agreed upon between the customer and the bank. The AEPD found that in this case, because consent could not be considered as being freely given, then the fees could also not be considered as freely agreed upon by both parties. | |||
The AEPD also noted that the bank's arguments related to the offering of different banking products were not relevant in this case, since these other products had different requirements based on, inter alia, customer's economic conditions, minimum purchases per month, insurance contributions and holdings into investment funds. The AEPD also established that linking processing of personal data with a waiver of fees could not be considered analogous to loyalty program. | |||
The AEPD held that in this case, the two legal bases for the lawful processing of personal data (ie. consent and performance of a contract), were merged or blurred, in violation of [[Article 7 GDPR#4|Article 7(4) GDPR]]. Based on these considerations, the AEPD issued a €2,000,000 fine against Caixabank for infringing [[Article 6 GDPR]] in relation to [[Article 7 GDPR#4|Article 7(4) GDPR]] by imposing conditions based on obtaining consent for the processing of personal data, for purposes that were not necessary for the performance of a contract. It also fined Caixabank an additional €100,000 for requesting this consent through pre-ticked boxes. | |||
== Comment == | == Comment == | ||
''Share your comments here!'' | ''Share your comments here!'' |
Revision as of 09:27, 9 March 2022
AEPD (Spain) - PS/00226/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6 GDPR Article 7(4) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 21.02.2019 |
Decided: | |
Published: | |
Fine: | 2,000,000 EUR |
Parties: | Caixabank |
National Case Number/Name: | PS/00226/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | gauravpathak |
The Spanish DPA fined a Bank €2,100,000 for a violation of Article 6 GDPR in relation to Article 7(4) GDPR by conditioning the waiver of bank fees with consent to process personal data which were not necessary for the performance of the contract, and requesting this consent using pre-ticked boxes.
English Summary
Facts
Caixabank, a Spanish bank, is the controller in this case. In 2019, some of the bank's customers complained to the Spanish DPA (AEPD) stating that the bank was asking them to accept the consent terms for processing personal data through pre-ticked boxes. If the data subjects did not accept the terms, the bank would charge them a fee of €5 per month for the bank account's maintenance.
The AEPD opened an investigation and sought details from the bank regarding its privacy policy and advertising carried out for certain categories of bank accounts. The AEPD also physically inspected the bank for further investigation.
In their defense the bank stated that the fee is not a charge, just a necessary fare for the providing of banking services to its customers and is, therefore, an essential element of the contract. The bank added that the exemption from the fees was a benefit given to interested parties, and also an essential element of the contract.
According to the bank, Article 7(4) GDPR is not applicable to this case, since the terms of the contract do not mandate a condition, and consent for the processing of personal is not a must-have for signing the contract with the bank. It argued that a customer not consenting to the processing of personal data gets the same services that are being offered to a customer who has given their consent for the processing, and that customers were free to choose other banking products offered by the bank which were exempt from fees.
Holding
The AEPD established that during a certain period, for new customers who chose a particular type of bank account, the consent acceptance fields were pre-ticked, In the AEPD's view, linking an exemption from fees to the provision of obtaining consent for the processing of personal data would mean that the consent was not given freely, since not giving consent entailed the payment of maintenance fees, which were detrimental to the data subject.
In addition, the AEPD held that these charges cannot be considered an inherent element of the contract, and were at odds with the national law regarding payments for bank services (Real Decreto-ley 19/2017 de cuentas de pago básicas, traslado de cuentas de pago y comparabilidad de comisiones), which establishes that fees for basic bank accounts need to be freely agreed upon between the customer and the bank. The AEPD found that in this case, because consent could not be considered as being freely given, then the fees could also not be considered as freely agreed upon by both parties.
The AEPD also noted that the bank's arguments related to the offering of different banking products were not relevant in this case, since these other products had different requirements based on, inter alia, customer's economic conditions, minimum purchases per month, insurance contributions and holdings into investment funds. The AEPD also established that linking processing of personal data with a waiver of fees could not be considered analogous to loyalty program.
The AEPD held that in this case, the two legal bases for the lawful processing of personal data (ie. consent and performance of a contract), were merged or blurred, in violation of Article 7(4) GDPR. Based on these considerations, the AEPD issued a €2,000,000 fine against Caixabank for infringing Article 6 GDPR in relation to Article 7(4) GDPR by imposing conditions based on obtaining consent for the processing of personal data, for purposes that were not necessary for the performance of a contract. It also fined Caixabank an additional €100,000 for requesting this consent through pre-ticked boxes.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/117 File No.: PS/00226/2020 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND Of the actions carried out by the Spanish Data Protection Agency before the entity, BANKIA S.A., currently CAIXABANK, S.A. (hereinafter entity claimed), due to the analysis carried out by the Audit Unit of the Subdirectorate General for Data Inspection and claims filed by, D.A.A.A. (claimant 1); by D.B.B.B. (claimant 2); D. C.C.C. (claimant 3), D. DDD (claimant 4); by Dª E.E.E. (claimant 5) by D.F.F.F. (claimant 6), and D. GGG (claimant 7), and based on the following: ACTS FIRST: On 02/13/19, you had a written entry to this Agency, submitted by claimant 1 (E/03825/2019), in which he states the following: “As a client of Bankia, from the ON account, requires me to accept all the consents for processing processing of personal data, which appear already pre-marked or accepted. Furthermore, if I choose not to transfer my data to third companies, for example, they impose a rate of 5 euros per month to continue maintaining my account”. SECOND: On 02/21/19, the Director of the Spanish Agency for the Protection of Data, taking into account the analysis carried out by the Audit Unit of the Subdirectorate General for Data Inspection, relating to the marketing of a new current account (ACCOUNT ON), agrees to initiate investigation actions to in order to prove the existence of a possible violation of the protection regulations of data regarding the collection of the consent of the entity's clients BANKIA, S.A. THIRD: On 02/26/19, by the Subdirectorate General for Inspection of Data is required to the claimed entity, so that it sends to this Agency informa- tion about its privacy policy; documents generated and publicity made regarding the following current accounts and cards associated with them: a) ON Account and ON Debit Card b) ON Payroll account; ON Debit Card and INE Consumer Credit Card Credit ON Payroll and c) Count One & Two. FOURTH: On 03/19/19, Bankia sends this Agency a letter accompanied by documentation, in response to the request referred to in the previous point. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/117 1. In said writing, it is stated regarding the privacy policy the next: “The Privacy Policy that is applicable to the Entity, regarding the treatment processing of the data, is collected in the two documents that are listed below- tion and that are provided as evidence of this first point to this writing: - The document called "Processing of personal data" (TDP), which is generated and signature in the registration process of each client and that contains all the required information by the regulations in relation to the processing of data derived from the relationship contract that exists at all times between the client and the Entity. The TDP is edited both in the registration of clients in branches and in the registration of clients through the channels at a distance available to the Entity (Bankia Online and App). - Bankia's "Privacy Policy" available at ***URL.1. This page contains the legally required information regarding the processing of personal data. obtained through the websites and web tools owned by Bankia, not being applicable for those collected in the contracts that the user can formalize with the Entity, even if they are linked or related to the "channels" Bankia's communication data", since the provisions of this document will be applicable to said data. established in the TDP as explained in the previous point.” 2. TDP model is attached that is generated in the remote channels and model of TDP that is signed in the office, (documents 1 and 2) In the TDP document, regarding the information on the conditions for the treatment processing of personal data are collected, under the title "personal data", data relating to vos to customer identification, contact information, marital status, number of children, fe- date and province of birth, nationality and professional data. In said document The interested party is informed that the personal data requested by BANKIA will be treated in accordance with the basic data protection information that describes then, urging the interested party to read and understand it, before signing the document that collects the request for consent for the treatment of your data. Said basic information states that the controller is BANKIA, S.A., briefly describe the purposes of data processing, the legitimacy In general, for such treatments, the recipients of the information, makes a brief reference to the rights that the interested party can exercise, and a re- mission to additional information that you can access through a link to a page web page Next, the consent of the interested party is requested for different purposes, for each one of them must be marked yes or no: o -In a first block, consent is requested to send communications- commercial transactions in the following terms: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/117 In point 1.1 it refers to the sending of “personalized commercial communications”. completed through any channel (paper, electronic means, telematics). cos, digital, etc.) about products, services, promotions or discounts of the financial sectors (banking, investment and insurance), real estate, culture, travel, consumption and leisure based on your profile, drawn up from your personal data, the products you have contracted, as well as part- from the operations, movements or transactions associated with its pro- ducts." In point 1.1.1 consent is requested “for the sending of communications personalized commercial messages on products, services, pro- promotions or discounts of the referenced sectors based on their fil, made from your personal data and the products you have contracted." In point 1.1.2 it refers to “the sending of commercial communications personalized about products, services, promotions or discounts of the referenced sectors based on their profile, drawn up from operations, movements and transactions associated with its products cough". In point 1.1.3, the following options are differentiated for sending commercial communications to which, one by one, you can consent: ‐ Physical correspondence ‐ Electronic correspondence (email, ATMs, etc.) ‐ Mobile devices (instant messaging, push notifications, SMS, etc.) ‐ Telemarketing platforms - Social media ‐ Bankia and third party websites Point 1.2 refers to the consent for “the consultation of your data, for part of Bankia in the asset and/or credit solvency files, as well as as other similar sources of information, with the aim of offering you customized financing products.” In point 1.3, consent is requested to participate in programs loyalty, raffles, contests, surveys and social action programs or similar actions, as well as receive news and/or communications about the themselves through any channel (paper, electronic media, telematics). cos, digital, etc.) In points 1.3.1 to 1.3.3, 3 different so- applications: to participate in loyalty programs, to participate in sweepstakes, contests and surveys and to participate in action programs social or similar actions o -In another block, consent is requested for the transfer of data to third parties. Point 2 requests consent for the transfer of your personal data for commercial purposes, based on your profile, to companies and participating companies das of the Bankia group or collaborators, whose composition can be consulted updated way in a certain link that is indicated. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/117 In point 2.1, the transfer of your data to collaborators is requested. to carry out commercial actions that fit their needs, based on your personal data, the products you have contracted, as well as from the operations, movements or transactions associated with their products. In point 2.2, the transfer of your data to companies or individuals is requested. cipated by the Bankia Group to carry out commercial actions that are fit your needs, based on your personal data, the products that you have contracted, as well as from the operations, movements or transactions associated with its products. You are informed about the possibility of revoking and modifying at any time the consents given and oppose the treatments based on the in- legitimate interest and the exercise of the rights of access, rectification, deletion, opposition and limitation to the treatment and portability of the data. 3- The specific pre-contractual information of the “ON” account is attached; of the card associated ON debit card, from the “ON NOMINA” account, from the “ON NOMINA” card, from the “UN & DOS” account and associated “UN & DOS” card. (documents 8, 9, 10 and 11) In the pre-contractual information on each of them, the product is described and the ca that the administration and maintenance fees of the account, as well as the associated card fees, transfers in euros, national and EU subject to regulation 260/2012, carried out by non-face-to-face channel and check deposits in eu- payments payable in the national market will be free as long as all holders Lares maintain a digital profile. The Digital Profile will be held when, among other stipulations, it is fulfilled that: - All holders have provided Bankia with their mobile phone number and co- electronic mail. - All holders have authorized Bankia, by subscribing the do- Document of Processing of Personal Data, equivalent document or con- corresponding treatment, the treatment of your personal data for the sending of commercial communications through any enabled communication channel, including email and mobile phone. - All holders have authorized Bankia, by subscribing the do- Document of Processing of Personal Data, equivalent document or con- corresponding treatment, the transfer of your personal data to companies of your group for the analysis of your profile for commercial purposes.” Said pre-contractual information details the commissions applicable to the different these accounts, being the established commissions, coincident for all the accounts, the following: - Maintenance fee X EUR. Free if account holders have digital profile. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/117 - Administration commission (per note) X,XX EUR. Free if holders of the account has a digital profile With regard to the commissions of the different debit cards associated with the aforementioned accounts, are the following, according to said pre-contracted information: tual: - Registration fee XX € (free if all customers meet the digital profile). - For maintenance XX € (free if all customers meet the digital profile). Likewise, the specific pre-contractual information of the ON credit card includes indicates that it will accrue the following commissions: “XX € main card, in the event that the holders of the associated account do not maintain the digital profile and the first holder of the account keep the payroll or direct debit pension.” The ON Account contract model (document 12) contains the following conditions: commission exemptions ON Account and ON Debit cards associated with it. me: “The account maintenance and administration commissions, the credit card fee, ON Debit fees associated with it (maximum one card per holder), and the commissions income from checks in euros payable in the domestic market and those from trans- Conferences in euros, national and EU, subject to regulation 260/2012, made by non-face-to-face channel and for any amount, will be exempt, and will not apply provided that all account holders meet the following requirements: (…) - They have authorized Bankia, by signing the document of Trafficking- processing of personal data, equivalent document or corresponding contract te, the processing of your personal data for sending communications with commercials through any communication channel enabled, including email email and mobile phone, as well as the transfer of your personal data to companies dams of your group for the analysis of your profile commercial effects. - (…) Bankia will periodically control compliance with the requirements indicated above- mind and, in case of detecting that any of them is not fulfilled, it will be applied automatically, both to the account and to the associated debit cards, the con- particular standard conditions of the same collected in this contract.” In the contract model Account ONE & TWO (document 14) there are identical conditions tions for exemption from commissions Account UN & DOS and Debit cards ONE & DOS associated attached to it. Likewise, in the ON PAYROLL Account Contract model, cards Debit ON and Credit cards ON Payroll associated with it, (document 13) are require in the same terms the requirements previously transcribed, as well as their periodic control and the consequences of non-compliance. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/117 FIFTH: In addition to the initial claim, the following were filed with this Agency: following claims: On 02/26/19, it had entry into this Agency in writing, presented by the Claimant 2 (E/03826/2019 processed under reference E/3825/2019), in the which exposes the following: “My claim is based on the violation of the right not to consent to the sending of commercial communications and the penalty applied for it. in entity Bankia bank has applied a charge for "collection of services" on the 1st of February I open my checking account. Telephone contact with the entity to see the reason for the charge, I'm told that my account type is Account ON and that I meet all the characteristics of the digital profile except one, that "all two holders have authorized Bankia, by signing the document Processing of Personal Data, equivalent document or corresponding contract tooth, the processing of your personal data for sending communications commercials through any enabled communication channel, including email. tronic and mobile phone". I understand that no charge can be applied to me for the exercise of said rights. chos, especially when the consent for the commercial use of my data must be expressly consented. Formulated these allegations to the Delegate of Pro- Protection of Bankia Data, tells me that, by not accepting to receive commercial advertising by all means, I do not comply with what they consider a "digital profile" and, therefore, Therefore, I must assume commissions and expenses that, in case of accepting to receive publicity commercial, I would not have.” With the date of entry into this Agency 02/28/19, it is presented in writing by the Claimant 3 (E/04093/2019, processed under reference E/3825/2019), in the which reveals, among other extremes, the following: “After years as a client bank entity mentioned, began to charge commissions from November 2018 in concept of "CHARGE FOR SERVICES COLLECTION". To the ask the entity about these concepts, its response was that, (...)- in in relation to the claim that you have made for the collection of commissions in your account. ta On, we indicate that what is generating this charge is that you have to modify car that SI was similar: "The clients of the ON Account must accept the reception advertising and the transfer of your personal data to third parties or, otherwise, will receive a monthly commission of five euros". On 04/08/19, it had entry into this Agency in writing, submitted by claimant 4, (E/05449/2019), stating that: “Bankia demands the complete transfer of full of my personal data so as not to charge me a monthly commission of 5 eu- ros, so the RGPD is violated. One of the conditions of your ON Account to not having to charge commissions is to have accepted the entirety of the consent of data transfer. When I was asked about that on your website, I rejected the sending advertising and commercial messages to my email and my phone, and at no time did I receive information that I would be charged commissions from maintenance not accept. I feel that they extort me to keep my data and thus be able to send spam and unwanted commercial mail to my accounts”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/117 On 06/19/19, it had entry into this Agency in writing, submitted by claimant 5, (E/06961/2019), in which she states the following: “I opened an account call: "ACCOUNT ON", in which following certain guidelines on on the use of e-mail and mobile phones for communications and correspondence dence, you are exempt from paying commissions for the maintenance of the account. A few months ago I decided to withdraw the data processing consent to: 1."receive personalized information about discounts, promotions, products, services of the financial sector or others, through any channel based on my preferences. personal relations" 2. "That Bankia consult my data in the asset solvency files and/or credit, as well as other similar sources of information with the aim of offering- personalized financing products" 3. "I agree to participate in loyalty programs, sweepstakes, contests, surveys and social action programs or similar actions, as well as receive news and/or co- communications on them through any channel (paper, electronic means) unique, telematic, digital, etc.)." And consent to data transfer: 4. "Share my personal data with so- investee companies and companies or collaborators of the Bankia group so that they can offer me your products or services" As a consequence of this, Bankia has begun to charge me for collection of account maintenance services of 5 euros per month”. On 08/07/19, it had entry into this Agency in writing, submitted by claimant 6 (E/07830/2019), in which it states that: “Bankia has changed the conditions of the checking account I have with them. They force me to accept I can advertise for them and their partners if they don't charge me 5 euros a month for maintenance. niment SIXTH: Dated 05/09/19, 06/26/2019, 07/16/2019 and 08/14/2019, in view of the facts set forth in the claims and documents provided by the claimants, the Subdirectorate General for Data Inspection proceeded, in accordance with the seen in article 65.4 of Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights, to give transfer of the claims information received from the Data Protection delegate of the claimed entity, the effects provided for in article 37 of the aforementioned regulation. SEVENTH: On 06/11/19, the entity claimed, files a written answer- tion to the transfer of the first, second and third claims, in which it is indicated what is transcribed below regarding the claims filed, on the causes that have motivated the incidents and the measures adopted and information About the clients who have contracted the ON accounts: Regarding the claimant 1.- C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/117 After analyzing the products associated with claimant 1, it has been verified that the claimant mante is currently an ON account holder. In relation to said client, It is clear that you have exercised any right before the Entity in relation to with your data, nor that the consents that were provided have been modified dated January 19, 2018, regarding the processing of your data for sending commercial communications not consenting to the possibility of transferring the data to Bankia Group companies. Attached is the contract formalized by the in which the consents provided are recorded. two in the indicated direction. Likewise, it has been verified that there is no claim any initiated against Bankia by this client or through its management office. ra, nor before the Customer Service (“SAC”), nor before the Office of the Delegate Data Protection (“DPO Office”). Consequently, we have no evidence of that no incident has been generated with this client, associated with their ON account. Regarding the claimant 2.- In relation to (complainant 2), it has been verified in the same way that said client You have been the holder of an On account, although it is currently cancelled. lada. Regarding the consents given, it must be indicated that as stated in our database the processing of your data for commercial purposes was not initially consented in October 2017, and later this non-consent was maintained. sentiment through the signing of the corresponding TDP dated August 18, 2018 through Bankia Online (BOL); all this according to documents nº2 and nº3 that accompany. Regarding the claims presented by this client, he addressed both to protecciondedatos@bankia.com, email address that appears in the contracts and in which the interested parties can exercise their rights in relation to their data, and to the Office of the Data Protection Officer on February 6 and 7, 2019 respectively, requesting in both cases the retrocession of the charges for collections of commissions that had been made in your ON account on February 1, ro of 2019. The answer to his claim was made from the office of the Protection Delegate. tion of Data, dated February 22, 2019, informing you that the collection of the charges missions was due to the fact that, as established in his contract, at the date of commission of the same, the requirements of the profile were not being fulfilled by the holders therefore, in that period it was not appropriate to apply the bonus of certain commissions of the ON account contractually foreseen, among others the commission of maintenance and management of the account and the associated ON debit card fee attached to it. In this sense, the client was offered the possibility of canceling said product and take another of those that Bankia has available in its catalog and in those that do not apply the conditions of the digital profile. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/117 Attached as documents No. 4 and No. 5 are the emails sent by the claimant and the replies to them sent from the Office of the DPD. Subsequently, on May 22, 2019, the claimant proceeded to cancel tion of the ON account in his office, and filed a claim with the SAC reiterating the retrocession request of the commissions generated and showing their disagreement. with the conditions of the aforementioned digital profile. As a result of said claim, with Date May 24, 2019 Bankia proceeded to pay the amounts claimed. Attached as documents No. 6 and No. 7 claim received at the SAC and answer- tion to said claim sent to (claimant 2). Regarding the claimant 3.- It has been verified that you have contracted an ON account and you have submitted several claims. tions in relation to it, as detailed below. Regarding the consents given, it should be noted that as stated in our database the processing of data for commercial purposes is found lent in November 2018, partially modifying these consents through the signing of the corresponding document "Modification of Treatment Authorizations” (“MTA”) on both February 23, 2019 and February 28, 2019; all this according to documents nº8, nº9 and nº10 attached. Regarding the claims presented by this client, two complaints have been located. claims filed with the SAC in the months of November and December 2018, claiming the collection of commissions in the ON account for the respective months. As a result of this claim, said commissions were regularized, being the cause that gave rise to the regularization applied by the SAC the fact of not having located the contract signed with the client. Attached as documents No. 11, No. 12, No. 13 and No. 14 complaints received at the SAC and their response Regarding the incidents and the measures adopted: The requirement itself transfers the facts that motivate the claims of the clients, which in extract are the following: “Obligation to accept as clients of the "Account ON" consent to the processing of your personal data, which appears as pre-marked or accepted and specifically, "the reception of advertising and the transfer of your personal data to third parties” to avoid charging commissions for the maintenance lie of said account.” Based on what was transferred and once said extract was analyzed, as well as the func- maintenance of the ON account in all its modalities and the process of collecting feelings, the following conclusions have been reached: - There is no obligation to accept any consent on the treatment of personal data in the process of contracting the ON account, having proven that any client can hire it without the provision of that consent prevents their hiring. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 10/117 - Something different is that the client complies with the conditions of the so-called "digital profile", which may mean that in certain products the Entity can apply a payment exemption, that is, an exclusion from the payment of finished commissions of the contracted products that have this type of profile and as long as the client maintains the same, as already explained. It which is justified based on the digital profile of the relationship between the client and the Entity, and the advantage of making it more efficient by using tion of digital media in commercial communications. - The process of managing consents by customers, which allows not only lend them freely and through any of the Entity's channels. but also modify them at any time and as many times as the client wants in an agile and simple way, guarantees that said consent is lend freely. Indicates that it has been sent on June 11, 2019, communication to customers about this request for information in relation to claims We are transferred. A copy of these is attached as documents nº17, nº18 and nº19. Information about clients who have contracted the ON accounts: Bankia is requested by this Agency to provide the following information: Number of customers who have contracted with Bankia S.A. the accounts “Account On”, “Account On Nó- mine” and “Account One&Dos”, indicating the number of clients of each account and customers who accepted "the receipt of advertising and the transfer of their personal data nals to third parties” and those who do not. As of May 31, 2019: Product ON Total Clients ON Payroll Account 27,700 Count One & Two 1,178 Account ON 1,168,122 Regarding the consent given by the holders of the On informative accounts, given, the status of said consents as of May 31 is also provided of 2019: account Number of clients Advertising Cession of Advertising Cession of (YES) Data (YES) (NO) Data (NO) ON Payroll 27700 26896 26896 804 804 One & Two 1178 1134 1119 44 59 ON 1168122 937942 924662 23180 243460 EIGHTH: On 07/25/19, 08/06/2019 and 09/12/2019, the entity claimed, pre- files written responses to the transfers of claims, fourth, fifth and sixth, respectively. In these writings the following is stated: Regarding claimant 4 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 11/117 “The claim is based on its non-compliance with the requirements for the fulfillment of the digital profile in relation to the ON Account. The complainant alleges that Bankia requires him to comply, among other requirements, with the assignment full of your personal data to be entitled to the commission bonus monthly fee of 5 euros contractually agreed. After receiving the aforementioned request, from the Office of the Protection Delegate Data collection, we proceeded to verify whether prior to addressing the AEPD, the claim mantemente has initiated any claim for this fact before the Entity, either through your management office or by contacting the Data Protection and Privacy Delegate or to Customer Service. Once said verification has been carried out, there are no claims any claim initiated against Bankia by this client. As recorded in the Bankia systems, on July 20, 2018 (claims mante) granted their consent through Bankia Online by signing the document “Processing of Personal Data” (hereinafter, “TDP”). Copy of said document is attached as document No. 1. These consents were partially modified, dated April 8, 2019, by the claimant through the same channel, proceeding in this case to the signature of the document “Modification of Treatment Authorizations” (hereinafter, “MTA”). It ad- Board a copy of said document as document No. 2, in which they are granted positively all the consents and thus continue to the date of issuance of the pre- feel report. Regarding the claimant's assertion regarding the requirement of complete assignment of personal data for the exemption from the collection of the maintenance commission, there is to indicate that it has been verified that the fact that Bankia is consented or not processes your data for certain commercial purposes has not conditioned, in any In any case, contracting the ON Account or any other product of the Entity by the claimant. Another thing is that it meets the conditions of the so-called "digital profile", which which means that Bankia can apply an exemption from payment of commissions, that is to say an exclusion from the payment of certain commissions for those clients who have that type of profile and as long as it stays the same. Regarding claimant 5 “According to the Bankia systems, on June 16, 2015 the claim- gave you their consent in a positive sense in an office of the Entity, for which which signed the document "Personal Data Processing" ("TDP"). A copy is attached of said TDP as document nº1. These consents were modified by the claimant on January 22, 2019, through Bankia Online (BOL) by signing a new TDP document in which all the consents were negatively granted. Attached copy of said TDP as document nº2. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 12/117 Subsequently, these consents have been modified again and in a part by the claimant on June 19 (twice at 6:33 p.m. and 7:13 p.m.), June 30 and July 11, 2019 through Bankia Online, proceeding to the signing of the corresponding documents of "Modification of Treatment Authorizations" (“MTA”). A copy of the corresponding MTA is attached as documents nº 3, 4, 5 and 6. Regarding the alleged violation of the right of opposition of the claimant to receive bir personalized information on discounts, promotions and financial products, as well as the transfer of your personal data to group companies or collaborators, It should be noted that the fact that the claimant has consented or not to both treatments tions has not conditioned, in any case, the contracting process of the Account On or the exercise of their rights as an interested party. Bankia has fully complied with its right to object, insofar as it has been able to modify and can do so again through any of the channels of the entity. ity, their consents (in the case of the claimant, on up to five occasions). A different thing is that the claimant complies with the conditions of the so-called "profile digital”, which means that Bankia can apply an exemption from payment of commissions, that is, an exclusion from the payment of certain contractually agreed commissions. mind for those customers who meet that type of profile and for as long as they are keep the same. Regarding claimant 6: “The claimant contracted an On Account and on that same date, positively granted their consents by signing the corresponding document "Treatment of Personal Data” (hereinafter, “TDP”). A copy of the Account contract is attached On as document no. 1 and a copy of the formalized TDP as document no. 2. These consents were subsequently updated and revoked by the claimant. dated May 25, 2019, through Bankia Online, by signing a new TPD. A copy of said TDP is attached as document no. 3. Later, the claimant partially modified his consents on July 3 and 8, 2019, proceeding in these cases to the signing of the document "Modification of Treatment- Authorizations” (hereinafter, “MTA”). A copy of both documents is attached. as document nº4 and document nº5 respectively. Likewise, said brief concludes that “The conditions that the claimant must meet- you as the holder of an On Account to have a digital profile are those that appear in the contract signed by the claimant on November 21, 2016, without having been modified by Bankia at any time contrary to what is stated in the claim. mation. Likewise, there is no obligation to accept any consent on the treatment of personal data in the process of contracting the On Account. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 13/117 A different thing is that the client complies with the conditions of the so-called “digital profile”. such”, which may mean that in certain products the Entity may apply a payment exemption, that is, an exclusion from the payment of certain commissions of the contracted products that have this type of profile and provided that the client keep the same, as already exposed. What is justified on the basis of one's own digital profile of the relationship between the client and the Entity, and the advantage of making aware of it through the use of digital media in commercial communications. mercials. And in this sense, the claimant has been answered, providing a copy of said communication. nification as document no. 6”. -The 3 briefs substantially reiterate the conclusions set forth in the brief of 06/11/19, and which are reflected in the previous point in the section “on the incidents and measures taken" NINTH: All claims to file E/02026/2019 are accumulated. TENTH: Dated 12/12/2109, under the investigative powers granted to the control authorities in article 57.1 of the RGPD, an inspection visit is carried out in the Bankia establishment, in which, as stated in the corresponding minutes, tooth, the representatives of said entity state, to questions from the inspectors yes, the following: Regarding the so-called digital profile As indicated, by maintaining the digital profile, the customer of ON products from BANKIA benefits from a series of commission bonuses. As stated in the specific informative documents (IPE – Contrac- Current Specific) of the ON products, such as the ON ACCOUNT and CARD DEBIT ON, the digital profile is held when: - “All operations carried out with the account and the card are carried out through of the remote channels available to Bankia at any given time (Bankia Online). ne, APP Bankia, Telephone Office, ATMs, …). - All holders have registered the Bankia Correspondence Service Online, not receiving communications from Bankia on paper. - All cardholders have provided Bankia with their mobile phone number and email electronic. - They have accepted and activated the PUSH messaging service through the App Bankia.” The fourth condition to hold the digital profile, related to the messaging service PUSH, has been added since 12/15/2019 for new pro-professional hires. ducts ON, while the following conditions are eliminated: - “All holders have authorized Bankia, by signing the document Personal Data Processing Agreement, equivalent document or corresponding contract C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 14/117 client, the processing of their personal data for sending communications with commercials by any communication channel enabled, including email and mobile phone. - All holders have authorized Bankia, by signing the document Personal Data Processing Agreement, equivalent document or corresponding contract tooth, the transfer of your personal data to companies in your group for the analysis of your profile for commercial purposes.” For customers who already had an ON product, the new conditions applied will start on February 16, that is, after two months have elapsed since they were communicates this contractual modification, having sent the communications last su December 15. Indicates that the two indicated conditions have been eliminated in new hires. and although they would be contractually provided for pre-existing customers until that the mentioned modifications communicated are effective on February 16, BANKIA does not take these two conditions into account in order to discount or not the meals sessions since last October 16. Regarding consent BANKIA, for those treatments whose legal basis is consent, has of a system that allows the collection, modification and management of these consents. as well as the traceability of the modifications made, called Module General of Consents. This Module also registers the exercises of rights of the clients and allows to take its centralized management. The list of consents is structured in three main blocks with the following: You have associated purposes: - Sending commercial communications - Participation in loyalty programs, raffles, social action and other si- thousands. - Transfer of data to third parties. The consents thus constitute a numbered multilevel list in such a way that the more general consents are at a higher numbering level and specific ones at a lower level. In this way, consent is granted or not. in a general way, for example, to send commercial communications, and in a specific to each channel through which communications can be received. The consents are recorded in a document called Treatments of Personal Data (TDP) that includes customer data protection information. This document is always signed by the client during the registration process, prior to contracting any product, both through online banking (with signature code) or in person at the office, on a Tablet that is provided (digital tablet that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 15/117 It is also used to collect the signing of contracts and transaction operations. tions executed by any client). When the consents are modified, they are recorded in a document similarly called Modification Treatment Authorizations (MTA). This document It is also signed by the client. BANKIA reformed and updated the list of consents on the occasion of the entry into force of the RGPD in May 2018 and sent a communication to all clients in- forming the entry into force of the new Regulation, initiating a new process of consent collection. When the new list of consents was put into operation due to an in- incident in the online channel that required adaptations to the systems (affected only to ON account customers contracted through the online channel) between July 8 and On August 15, 2018, the consents were shown pre-marked, in a state of acceptance (“consent”), for new customers. That is, when a new customer was registered through the online channel, the consents were pre-marked during the registration process, not occurring in office registrations. Also, for pre-existing clients, during this period, new consents ments (which did not exist previously about which therefore the client had not been expressed) were marked with acceptance status, but the pre-existing consents on which they had already expressed their authorization or refusal, contraban in the state that the client had decided. It must be taken into account that, as a result of the integration of 7 Savings Banks in favor of BANKIA in 2011, and the merger of Bankia with BMN in 2017 (BMN in turn became formed with 4 savings banks) was based on consent obtained from different forms for each group of clients of each one of the eleven integrated boxes, with a total of about eight million customers, so we started from a situation plex. By unifying the consents and creating a single, common list for all BANKIA customers, regardless of their Savings Bank of origin, remained situations in which some clients originating from some Savings Banks could have consents already authorized or denied, and others not. All this was taken into account to the premark the consents, not overwriting the state in those in which the client had already expressed. As of August 16, 2018, pre-marked consents in a state of acceptance or "consent" (green color in the application) are shown to "not consent" sorry” (red color), and finally passed to the status of “not collected” (gray color) on fe- bre of 2019. Statistics: The consents of some 5,842,000 clients of the 8,281,000 that the entity has at the moment. Customers missing by answering tar constitute 29%, correspond to inactive clients, and their consents ments are unmarked. However, for any treatment these con- Feelings are considered to be in the "no" state to prevent their use. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 16/117 Of those who have answered, 89% have accepted all the consents, 7.5% They answered partially accepting, and 3.2% answered all "I do not agree". I feel". The number of customers who passed the registration process in the period between on 07/08/2018 and 08/15/2018 (ON products through the online channel), are a total of 2,562 (of which 2,192 are still active and 270 have been cancelled). of the clients who are still active 38 have subsequently modified consents. For all these reasons, there are 2,154 active clients who provided pre-married consent. and have not subsequently modified them, accounting for 0.16% of the total con- sentiments provided by online banking and 0.03% of the total number of consents Data from the total number of clients that appear in the BANKIA database. Highlight that customers can modify their consents online at any moment, as many times as they wish to modify them and through any of the channels enabled (BANKIA Online, BANKIA App or branch) regardless of the channel through which that they have borrowed. Currently, and since before 05/25/2018, when a new client registers at BANKIA, both online and at the branch, you must fill out the consents generated using the aforementioned document called Personal Data Processing (TDP), who signs. It is not possible to continue registering the client without signing said document. ment. The consents are unmarked (in gray), having to mark the client his decision to consent or not. All BANKIA employees can check customer consent on-line, as well as the changes that the clients have made and the documents of con- signed sentiments. There is also traceability of the consents prior to the RGPD. Agency inspectors request access to the Consent Management Module. ments by performing the following checks: - It is accessed by means of a BANKIA employee user code and password to the data of the consents provided by one of the people present in the room, client of the entity, verifying that the Transcript document has been signed. Processing of Personal Data (TPD) dated May 21, 2018. It is also accessed also to the modifications made later on the consents (documents MTA ments) as well as the current status of consents. Regarding data transfers Although the consent of customers has been requested, BANKIA has not transferred its data personal rights neither to the companies of the group nor to other collaborating entities taking Based on these general consents of the TDP, there is no provision for it. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 17/117 The consents for assignments were requested as a general measure. In case of rea- If an assignment were to be made, specific consent would again be requested from the clients involved. profited. Attached to the inspection record is a copy of the specific consent regarding tendered for the UNI&DOS account for the entity ***ENTIDAD.1 (for the preparation of wedding list). This specific consent does not constitute a legal necessity since it is counted with the general consent obtained. However, BANKIA has considered recasting bar a specific consent for ethical commitment with its clients. In addition, in the event of a transfer in the future, the project would become informative. commissioned by the Office of the DPO, which would study and apply both the compliance criteria normative as well as ethical, taking the appropriate measures to the specific case to be raised. There is no link or published document that contains the list of companies co- companies since there is none to which data is transferred based on consent. General information collected through the TDP. The assignments that are made are carried out by means of ad hoc consent of the clients involved. ELEVENTH: On February 21, 2020, the declaration of the file of the previous actions E/2026/2019, because the period of 12 months from the beginning of these, in accordance with the provisions of article 67 of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights. Likewise, under the provisions of article 95.3 of the Law Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations order the opening of new actions of investigation, incorporating to these new actions the documentation that integrates previous actions that are declared expired. TWELFTH: Within the framework of the new previous actions E/01904/2020, On 03/12/2020, a request for information was issued to BANKIA, SA (in hereinafter BANKIA) requesting information regarding customers who passed the process of registering ON products through the online channel in the period covered between 07/08/2018 and 08/15/2018 (the 2,562 clients who found the consents pre-marked facilities, according to the information contained in the report of inspection of reference E/2026/2019/I-01). Information is also requested in relation to all customers of ON products and on the total annual global turnover of BANKIA.S.A. THIRTEENTH: On March 26, 2020, you have an entry in this Agency request for an extension of the term to respond to the request. Granted the The same response is received dated June 18, 2020, in which it is indicated that at period of extension of the term to answer, the suspension of deadlines must be added provided for in the Third Additional Provision of Royal Decree 463/2020 of March 14- zo. Regarding the requested information, it states the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 18/117 “1 Regarding the customers who went through the process of registering ON products through of online channel in the period between 07/08/2018 and 08/15/2018 (the 2,562 clients who found the pre-marked consents, according to the information tion that appears in the reference inspection report E/2026/2019/I-01): Number of these people who have not modified their consent or have caused do leave the entity until the date of the response to the request. Of the 2,562 customers who registered an On account through Bankia Online in the indicated period As of June 9, 2020, a total of 2,171 clients. The remaining 391 clients have ceased to have active positions with Bankia, and therefore they are no longer clients of the entity. Likewise, of these 2,171 clients, 1,359 clients have modified their consents at least once with post-date prior to 08/15/2018 and the remaining 812 clients have not modified it on any occasion since they were lent at the time of registration of the On account. These 812 customers represent 0.06% of the total number of On account holders and the 0.009% of all Bankia customers. These are clients with whom an attempt has been made unsuccessfully contacted by their managers, and that there is no evidence that they have had reactions in recent months with the entity through any of the channels, since have interacted either in person at your office or through channels not face-to-face (even in consultation mode), the consents would have been obtained again. ments as explained later. In fact, these are On accounts with no movement or significant activity in the last few months or, in many cases, with negative balances to be regularized, having contact with the holders has been attempted on several occasions without success. guido. Notwithstanding the foregoing, all of them (as well as the rest of Bankia's customers) are communicated to them in December 2019, informing them of the modification of the conditions for the fulfillment of the digital profile by which as of February 2020 ceased to be a condition to meet said profile, and therefore to benefit of the exemption of commissions, those related to having authorized Bankia, through the subscription of the Personal Data Processing document, document equivalent to lens or corresponding contract, the processing of your personal data for sending of commercial communications through any enabled communication channel, including two email and mobile phone and have authorized Bankia, through the sub- Cryptation of the Personal Data Processing document, equivalent document or corresponding contract, the transfer of your personal data to companies in your group for the analysis of your profile for commercial purposes. Notwithstanding the foregoing, due to a commercial decision of the Entity that anticipated the change in Bankia's commercial positioning policy that was communicated to the customers in December 2019, as of September 16, 2019 it was not considered the authorization for the transfer of data to group companies as a necessary requirement to comply with the digital profile for the purposes of the exemption or collection of commissions.” "two. Of these clients, how many have been the object of advertising campaigns by BANKIA from 08/15/2018 to date. Dates of advertising campaigns issued. The 812 clients who have not modified their consents or caused C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 19/117 leave the entity, have been the object of some commercial action through electronic mail. tronic or SMS. These actions have been developed in the period between August 2018 (registration date) and April 2020 (in May the contact process began). new collection of consents from these clients, which is explained in the following section, marking their consent as denied until it is collected. sen again). 3. Information on whether BANKIA has carried out or is going to carry out any action with said group to obtain their consents without pre-selected options. the management of consents regarding personal data by customers can be done at any time and as many times as you want, well presented especially at any Bankia branch or through any of the channels non-face-to-face sessions available to the Entity (Bankia Online or App Bankia). Once provided and regardless of the channel through which they have been provided, the client You can modify said consents again whenever you wish by anyone. of the available channels. As for the concrete actions carried out with the co- school of clients who provided consent with a pre-selected option through of Bankia Online and in the indicated period (between 07/08/2019 and 08/15/2019), have adopted the following: The consents have been requested again from the clients who did not have modified, taking advantage of the first interaction with the entity by any of the enabled channels (branch, Bankia Online or Bankia App). This obtaining of new consents, from a neutral position to the option of acceptance or not acceptance that in each case is chosen by the interested party for each of the requested consents, has been configured as a necessary step to be able to continue the operation through any of the channels. Those clients who have not passed this process have been considered as customers who have not given their consent to the entity regardless of the meaning of the consents they provided in the registration process of the On account, and have been marked in systems as having denied all consents. All On account holders were informed, in December 2019, of the change of conditions of the digital profile, and the elimination of the requirements of having authorized the sending of commercial communications and the transfer of data for the purposes of collection or fee waiver. Contact has been made by telephone (through the corresponding managers) with customers who have not modified consents; in the case of the 812 clients who have not yet gone through the process, although several attempts have been made to contact them. Several times, the result has been unsuccessful. The process of canceling those inactive accounts without activity has begun. given in recent months. 4. Total number of customers with ON products as of the date of this request. TO date June 9, 2020, they are holders/co-holders in Bankia of an On account a total of 1,256,352 clients (653,463 accounts). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 20/117 POINT 5. Estimate of the total commissions charged during the year 2019 to these customers both for monthly fees and for commissions for notes or individual operations. viduals, by not complying or failing to comply with the conditions of the digital profile. The total amount of commissions charged during 2019 to holders of On accounts that have not met any of the conditions of the digital profile has been €2,367,954.32 according to the following breakdown: Administration fee: €27,074.59. Maintenance / Inactivity: €297,633.91. Maintenance commission: €2,043,245.91. Total: €2,367,954.32. Of the total commissions collected during 2019 for not meeting any of the requirements of the digital profile, which accrue monthly if these requirements have not been met During the previous month, commission has only been accrued in the case of 2 clients. of the 812 reported in point 1 and in a single month, the global annual amount being bal charged for this concept to each of the two clients of five (5) euros. There are It should be noted that the collection could have been due to non-compliance, in the period monthly settlement, of any of the conditions of the digital profile, sufficing that one of them is breached so that the exemption from the commissions does not proceed, for example, use the physical office channel, request to receive communications on paper, etc.… 6. Estimate of bonus commissions during the year 2019 (not collected, or de- left to charge, for the fulfillment of digital profiles) of these clients. the amount total bonus commissions (not collected) in 2019 to holders of On ha accounts been €32,110,990 according to the following breakdown: Accounts opened before 2019: €22,101,900. Accounts opened in 2019: €10,009,090. Total: €32,110,990. 7. Average annual or monthly income declared by the clients of the pro- ducts ON. Compliance with the conditions of the digital profile that gives rise to the On accounts to the application of the commission exemption, it is not linked to the need to have a certain amount of annual or monthly income. Therefore Next, On account holders do not have to declare certain income to open the account or to fulfill the conditions of the digital profile. 8. Information on BANKIA's total global annual turnover for the year financial year 2019. For these purposes, the information contained in the Annual Report is provided results 2019, published on the Entity's website, according to which the net margin before provisions of 1,428 million euros. FOURTEENTH: Dated 12/14/2020, entered this Agency brief, submitted by claimant 7 (E/00869/2021), in which he states that it is holder of an On account and that, from the opening date of said account, it has been been charging a monthly maintenance fee of 5 euros (from August to December 2019). It states that consultation with the entity C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 21/117 claimed on November 7, was answered that the commission was charged for not comply with the digital profile. The AEPD proceeded to transfer the claim received to the Protection delegate Data of the claimed entity, in accordance with the provisions of article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights. On 03/04/2021, a response was received from the entity claimed, contributing between other documents the contract of the interested party in which it is stated that he had not given his consent to the conditions required for the exemption from commissions, and a letter from said entity to the interested party in which it is communicated that "as stated in your contract, the bonus of certain commissions of the ON Account, among others, the maintenance and administration commission, is subject to the fact that all holders res maintain a digital profile. However, if any of the conditions of said profile are not met, your ON Account remains fully operational and you can continue to enjoy all the services associated with it, with the economic conditions and commissions and expenses applicable under the contract. Also, inform you that as was informed by the Customer Service in the letter that was sent to him on January 8, 2020, in order to strengthen his relationship with the Entity, despite not complying with the conditions of the digital profile, Bankia has proceeded to pay the amounts collected for this reason.” FIFTEENTH: The BANKIA website is accessed, where you can read what following: “The user of this website is informed that the merger by absorption has taken place of Bankia, S.A. by CaixaBank, S.A., the second entity succeeding the first, universal form in all rights and obligations. According to the above, it has modified the ownership of this website, as well as the addresses for sending complaints and claims and the exercise of data protection rights. For more information, click here." The Mercantile Registry is accessed, appearing among the data related to the entity BANKIA, S.A, the following observation “Extinction”. It is also stated that “on 18 September 2020, on the corporate website of BANKIA, S.A. www.bankia.com has been included in the common merger project between the companies CaixaBank, S.A. -absorbing- and BANKIA, S.A.-absorbed-.” SIXTEENTH: On May 7, 2021, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure against the entity BANKIA, S.A., currently CAIXABANK, S.A., in accordance with the provisions of article 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Natural Persons with regard to the Treatment of Personal Data and the Free Circulation of these Data (Regulation General Data Protection, hereinafter RGPD), for the alleged infringement of the article 7 of the RGPD, typified in article 83.5.a) of the aforementioned Regulation; and for the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 22/117 alleged infringement of article 6 of the RGPD, typified in article 83.5.a) of the aforementioned Regulation, determining that the sanction that could correspond would amount to one total of 2,100,000 euros without prejudice to what resulted from the investigation. The initiation agreement is notified to the respondent by electronic means on the 7th of May 2021. The notification is accepted by the addressee on May 10, 2021. SEVENTEENTH: Dated May 18, 2021, it has an entry in this Agency letter from the data protection delegate of CAIXABANK, S.A. in which he states act in the name and on behalf of the same by virtue of its capacity as delegate of data protection, requesting extension of the term to formulate allegations to the agreement to initiate the sanctioning procedure and delivery of a copy of the procedure administrative. On May 24, 2021, accreditation from the representation held within 3 days from receipt of said request. Dated May 26, 2021, you have entry in this Agency written accompanied by a notarized power of attorney accrediting said representation. On May 26, 2021, it was agreed to extend the deadline for allegations until legal maximum allowed and a copy of the administrative file is sent to CAIXABANK, S.A. The notification of the brief and the delivery of the copy of the file were carried out carried out by postal courier as long as the volume of the file did not allow delivery by electronic means. The documents were received by said entity on May 26, 2021. Work in the supporting procedure of the courier company that proves receipt of the documentation on that date. EIGHTEENTH: On May 31, 2021, CAIXABANK, S.A. filed a written of allegations in which he requests that a resolution be issued declaring the nullity of full right of the procedure for the reasons that it exposes in its allegations first and second or, failing that, agree to file it or, failing that, the imposition of a warning or reprimand or a significant reduction in the amount established in the startup agreement. The aforementioned entity bases its requests on the allegations that, in summary, are set forth below: First.- Of the helplessness caused to CAIXABANK as a consequence of the fixation of the amount of the penalty in the initiation agreement. Setting the amount of the penalty in the agreement to initiate the procedure, which is justifies in the Basis of Law IV, produces helplessness to the interested party that vitiates of nullity the same. It understands that determining in said act the sanctioning reproach, evaluating even the mitigating and aggravating concurrent without motivating them minimally, about which he has not had occasion to express himself, affects the application of the fundamental principles of criminal law, applicable with certain clarifications to the sanctioning administrative procedure, as has been consistent jurisprudence manifest. Considers that the initiation agreement exceeds the content legally provided, for how much it should only incorporate the limits of the possible sanction that could be imposed, and not determine a specific amount that implies the summary assessment C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 23/117 of the concurrent circumstances. The agreement dictated goes beyond what was admitted in the Article 68.1 of Organic Law 3/2018, of December 5, on Data Protection Personal and Guarantee of Digital Rights (hereinafter LOPDGDD). This advance and unmotivated assessment of the responsibility of CAIXABANK, even indicating mitigating and aggravating circumstances, even if it is for their mere mention, and even when it is intended to leave aside what is finally appropriate based on of the investigation, in the opinion of that entity, an unprecedented part is carried out, without any allegation of the accused that would allow the sanctioning body to assess the circumstances assessed in light of said allegations, leaving the party defenseless. It also produces defenselessness the fact that the amount comes from the mere enumeration of circumstances, without stating how they affect the responsibility. The fact that the Sanctioning Body establishes in the Start Agreement the amount of the sanction that, in his opinion, should be imposed on CAIXABANK affects the impartiality of the investigating body designated in the same agreement to initiate procedure, which knows before starting the procedure the criterion of the organ to which will finally raise the file, on which it depends hierarchically. This supposes a breach of the principle of separation between the instruction phase and the sanction phase (article 63.1 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations -hereinafter LPACAP), depriving the instructor of a objective knowledge of the facts and the possibility of making an assessment of the circumstances arising from the instruction. It alleges that article 64 of the LPACAP, invoked in the Initiation Agreement, does not imply an important innovation of the legal system regarding the sanctioning regime previously in force, all the regulations governing the procedure administrative since the original Law of 1975 have imposed whenever it is determined the amount of the sanction that could proceed. It understands that the mere entry into force of a provision that does not affect the regime previously in force can enable the sanctioning body in a procedure to be assessed, a priori, and without having processed the procedure, mitigating and aggravating circumstances in their conduct, expressly establishing without any instruction the amount of a penalty and influencing the decision of the examining body. Likewise, article 85.1 of the LPACAP does not require this prior determination of the amount, since it does not refer to a pre-established sanction, but to the imposition of the appropriate sanction. This rule, applicable "beginning of the procedure", provides that the acknowledgment of responsibility may determine the imposition of the sanction “that appropriate”, so that this fixation seems to be foreseen after the actual acknowledgment of responsibility. In addition, in section 3, the same article provides that the reductions must adopted on the "proposed" sanction, which requires that it has actually been determined in the procedure what that amount is, which leads to the conclusion that the resolution proposal will be the ideal moment for determining of the aforementioned amount, given that only then will the defendant already have been able to be heard and his arguments taken into consideration in the motion for a resolution, which also C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 24/117 will have been able to be freely adopted by the competent body for the investigation without any influence of the sanctioning body on the investigative action. Second.- Of the helplessness caused to CAIXABANK in the processing of this process. It alleges, first of all, that the file has only been transferred to CAIXABANK on May 27, 2021, when there were only two days left skillful for the formulation of allegations, without even agreeing on the aforementioned date the extension of the term for its formulation by five days from the receipt of the file, given that on the same date it was clarified that the deadline for requested extension began to be computed on May 24, that is, 3 days prior to receipt of the file. Considers that in practice, the issuance of allegations has been reduced to a period of two business days, which generates a completely helpless situation. Secondly, it points out that apart from the transfers of the different claims and the action of the AEPD has been limited to an initial request for information, an inspection visit nine months after the start of the investigative actions and the realization of a request for information when those had already expired and had not been "replaced by others", no agreeing to open the procedure until almost eleven months have elapsed since response to that request. It understands that given the sequence of events that emerges from the agreement of beginning, the AEPD had decided to admit for processing the first of the claims in date February 21, 2019, given that it agreed to initiate the preliminary investigative actions. So consider that even though with the seven claims made against your entity indicate that they were based in the provisions of article 65.4 of the LOPDGDD, such legal basis lacks reality of the content of said norm, since it is applied only in the assumptions in which the transfer is carried out in order to decide on the admission to procedure and always with the aim of determining what will be the decision on this issue has to be taken. However, the AEPD had decided to investigate the facts on which the complaints were based by initiating investigative actions on February 21, 2019. What has just been indicated, together with the completely identical nature of the claims made, it does nothing but highlight the manifest inactivity incurred by the AEPD throughout the processing of this procedure, in prejudice to the rights and guarantees of CAIXABANK, being that, in addition, the AEPD has agreed to prolong in a completely artificial way the duration of such actions to the point of doubling their duration compared to the legally established in article 67 of the LOPDGDD on the sole basis of the declaration of expiration of said actions to proceed with the opening on the same date of other different ones about identical facts and alleged infractions of the regulations of personal data protection. It understands that against this it cannot be argued that during those more than nine months carried out successive transfers of information to their entity, and the AEPD must be C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 25/117 the response given to them by the former, given that, as has already been indicated, the purpose of the transfers is to decide on the admission for processing of the claims, being so in this case said actions, related to the facts object of the claims, were admitted for processing from the agreement to initiate investigative actions. In this way, carrying out only two specific actions of investigation over more than twenty-four months would evidence the existence of a situation that could constitute fraud of law in the use, to the detriment of the investigated entity, of the power granted by article 95.3 of the LPACAP to completely artificially lengthen the duration of the actions of investigation, by archiving those initially carried out and opening (or, allow us, “reopening”) to the detriment of CAIXABANK. It alleges that in this sense it is applicable to the present case, mutatis mutandis, the doctrine established by the National High Court in its judgment of October 17, 2007 (appeal 180/2006), in which the illegality of the extension inadequate or unfounded, and based exclusively on its inactivity of the preliminary investigative actions. Consider CAIXABANK that can be seen in the performance of the AEPD, the concurrence of the elements required by article 6.4 of the Civil Code to appreciate the concurrence in the same of fraud of law, which should lead to the nullity of this sanctioning procedure. Third.- On the freedom of consent given by customers at the time to subscribe the ON account and the non-existence of violation of article 7 of the RGPD. 1. The content of the Home Agreement. CAIXABANK understands that the reasoning of the AEPD in which it comes to consider that the collection of commissions as a result of contracting the products to referred to in the Start Agreement to those who do not meet the requirements established so that it could be considered that the client maintained the so-called “digital profile”, implies a negative consequence for it, supposes a Ignorance of the nature of the contracts to which it has been making reference and the objective elements that are part of them, which, in its turn, gives rise to an incorrect interpretation of the consent requirement related to its “free” character. The application to the client of a commission cannot in any way be considered as a “negative consequence” of entering into a checking account contract banking, but as the consideration that the client has to satisfy as consequence of the service contracted with the financial entity. In this way, do not should never refer to the existence of a burden, encumbrance or "consequence refusal” imposed on those who do not give their consent to the processing of their data within the framework of the delimitation of the so-called "digital profile", but of the Obtaining a benefit to whoever does give that consent, consisting of the reduction or exemption from the payment of its consideration in the aforementioned contract. Considers that the action of the entity that could derive in a limitation of the requirement of freedom of consent given to the processing of your data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 26/117 personal cannot be the demand for the payment of the consideration that definition is part of the content of the contract, but the imposition of a levy or additional charge to said consideration. In this sense, they pronounce their own EDPB Guidelines, which in the example mentioned in the Startup Agreement do not consider limitation to the freedom of consent the requirement of payment of commissions, but the "increase" of them. On the contrary, nothing in the RGPD or in its development in Spanish law by the LOPDGDD, comes to determine that the consent ceases to be free due to the fact of that the person who facilitates it be granted some type of benefit, advantage or incentive (since the exemption from the payment of a commission meets these characteristics) on the conditions that, according to the clauses of the contract, should be fulfilled in general. AND This is, and not the one indicated in the Start Agreement, the situation that occurs in the present course. Indicates, regarding the legal nature and elements of the current account contract banking, which is a bilateral or synallagmatic and onerous contract in which the services provided by the bank and that are complementary to the mere delivery of funds and conservation by the client are not limited to the payment, in your case, of the corresponding interest, but also to the provision of services that, According to the very nature of the commercial commission contract, they will have also a remunerated character. This implies that the commissions are not constituted as a levy imposed on the client, but as the consideration for the services provided to it by the entity of credit, thus configuring itself as a necessary objective element of the contract of bank current account, which must incorporate the same except in those exceptional cases in which, due to the very nature of the contract entered into, is blurred in the development of the contract the activity that is typical of the commercial commission. In short, the commissions are an essential part of the contract, since they represent the consideration that the interested client must satisfy for the services that the banking entity carries out on behalf of the person who orders the same making payments and deposits, as well as for the rest activities of a complementary nature that constitute the essence of the account mercantile stream. It also states that commissions are an essential element of the contract according to the domestic law and the European Union. Article 2.15 of Directive 2014/92/EU of the European Parliament and of the Council of July 23, 2014 on the comparability of commissions related to payment accounts, the transfer of payment accounts and the access to basic payment accounts (hereinafter, the “Policy”) defines the commissions as “all expenses and penalties that, where appropriate, must be paid by the consumer to the provider of payment services for services linked to a payment account or in relationship with them”, taking into account that, in accordance with article 1.6 of the legal text payment accounts must at least allow consumers to make, at a minimum, operations consisting of “depositing funds in a payment account”, “withdraw cash from a payment account” and “make payments to third parties and receive third party payments, including transfers”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 27/117 In Spain, the transposition of the Directive was carried out by means of Royal Decree- Law 19/2017, of November 24, on basic payment accounts, transfer of payment accounts payment and comparability of commissions (hereinafter, the "RDL 19/2017"), whose article 9 establishes, in its section 1 that "the commissions received for the services provided by credit institutions in relation to basic payment accounts will be those that are freely agreed between said entities and the clients”, without prejudice to the possible setting by the Government of maximum commissions in accordance with the criteria established in the section 3 of the precept (power embodied in Order ECE/228/2019, of 28 February). Likewise, it is established that "regulations may establish different regimes of more advantageous conditions in terms of commissions in depending on the special situation of vulnerability or risk of financial exclusion of potential clients”, this being the only case in which there is a limitation express legal or an exemption from the payment of commissions. Likewise, for the purposes of guaranteeing comparability in commissions incorporated into payment account contracts, article 15 of RDL 19/2017 establishes in its article 15.1 that "the Bank of Spain will publish and maintain updated the list of the most representative services associated with an account payment, incorporating the standardized terminology contained in the delegated act to which refers to article 3.4 of Directive 2014/92/EU of the European Parliament and of the Council, of July 23, 2014” This list is included in the Annex to Circular 2/2019, of March 29, of the Bank of Spain, on the requirements of the Informative Document of the Commissions and of the Commission Statement, and payment account comparison websites, which amends Circular 5/2012, of June 27, to credit institutions and providers of payment services, on transparency of banking services and responsibility in the granting of loans, which includes the most representative services associated with payment accounts that, consequently, will imply the requirement by the entity payment of the subsequent commission in consideration for its performance as follows: Account maintenance; issuance and maintenance of a Debit; issuance and maintenance of a credit card; discovered express; tacit discovered; transfer; standing order; cash withdrawal to debit by card at ATMs; cash withdrawal on credit ATM card; alert service (SMS, e-mail or similar); negotiation and check clearing; check return. Finally, Royal Decree 164/2019, of March 22, which establishes a free system of basic payment accounts for the benefit of people in a situation of vulnerability or at risk of financial exclusion, prohibits in its article 2.1 the credit institutions require the payment of commissions “when all the holders and Authorized users of a basic payment account are in the special situation of vulnerability or risk of financial exclusion indicated in article 3 and it has been recognized in accordance with the provisions of this royal decree”, establishing the requirements for the recognition of this right. It concludes that: • Commissions are an essential element of the contracts associated with the called payment accounts and the current bank account contract, and are intended to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 28/117 purpose the remuneration of the services provided by the banking entities for the performance of the different services associated with the contract. • The parties may freely set the commissions to be paid as remuneration for said services, and it cannot be considered that they come from unilaterally imposed as a lien on the contract, always respecting the maximum limits that, where appropriate, are approved by the Government. • They will only be exempt from the general system of commissions that has just been describe the cases in which the nature of the services contracted with the bank entity is not assimilable to that of a payment account because it implies "more limited functions" than its own. • Only the chargeability of commissions will be excluded from the holders and Authorized users of a basic payment account are in the special situation of vulnerability or risk of financial exclusion. Starting from everything that has been indicated, under no circumstances would it be possible classify the commissions as an encumbrance, charge or damage caused to the client of a credit institution, being simply an element of a payment account for the that the interested party pays the banking entity for the services that have just been detail, necessarily appearing in the contract and proceeding, in terms of its fixation, of the free autonomy of the will of the parties, always within the maximum limits that may be established. For this reason, the exemption from commissions for customers who maintain a profile digital will be configured as an advantage or benefit for the client who operates as exception to the collection of commissions, which is consubstantial to the celebration of the contract, proceeding said exemption from the free acceptance of the conditions that the determine. It will not exist, consequently, and in terms that are diametrically opposed to what reasoned by the Home Agreement, a lien subject to the non-provision of a certain consent linked to the processing of personal data, but a benefit derived from said provision. 2. It also alleges that there is no damage, encumbrance or charge whatsoever derived from the failure of customers to consent to the processing of their data personal. As has been indicated so far, the fact that the client of an entity bank is obliged to pay commissions associated with the management of an account of payment cannot be considered at all a detriment to it, since the commissions are an integral element of the contract, so that the products banking, in any case, are associated with the payment of said commissions. The logical consequence of the foregoing is that it cannot be considered that in a case such as the one that is the subject of this sanctioning procedure can be seen as, erroneously considers that AEPD, that the exemption from the payment of certain commissions suppose an element that conditions the freedom of consent freely provided by the interested party for the conclusion of the contract or that the consent for the processing of your data has not been freely granted. The Initiation Agreement refers in its reasoning to recital (42) of the RGPD that indicates that “consent should not be considered freely given C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 29/117 when the interested party does not enjoy a true or free choice or cannot refuse or withdraw your consent without suffering any prejudice”. What derives, according to said reasoning, in the repeated reference that he makes to article 7.4 of the RGPD, to whose tenor "when evaluating whether the consent has been given freely, will be taken into account to the greatest extent possible whether, among other things, the execution of a contract, including the provision of a service, is subject to the consent of the processing of personal data that is not necessary for the execution of said contract". Understands that what is established in considering (42) previously reproduced does not It is applicable to the case analyzed or to the processing of personal data carried out. carried out by CAIXABANK, and this to the extent that none of the premises contained in it. Thus, in the first place, it understands that in the present case the client enjoys true and absolute freedom to decide whether or not to grant the different consents that are requested, both at the moment in which he acquires the condition of client through the registration process in the entity, the opening of the corresponding account and the conclusion of the contract, as at any later time when it may modify the consents given without any limitation. In this sense, as stated in the background of the initial and has had the opportunity to verify that AEPD, in the client registration process, the to the will of the interested party the completion of a series of boxes, referring to the controversial treatments in the sanctioning procedure, informing you, in a explicit, clear, simple and concise, as imposed by article 12.1 of the RGPD, of the purposes for which the client would grant, in case of providing it, each of the different consents that are subject to your decision. And how will it be analyzed? subsequently, the marking or not marking of the aforementioned boxes in any mode will influence the conclusion of the contract, which will take place in the event that the The interested party signs the terms thereof with absolute independence from the fact that whether or not they have consented to the treatments submitted to their decision. In the same way, as is also proven in the records of the Agreement of Home, and it was revealed to the AEPD inspectors during the visit on December 12, 2019, the client may, throughout his relationship with CAIXABANK and as many times as it deems convenient, modify its consents, both online, by accessing your personal area, and by any of the the other channels made available to them (telephone, app, office, etc.) and this, in in any case, regardless of the channel used to provide or deny initially your consent to the processing of your personal data for the purposes for which it is required. Likewise, it was brought to the attention of the AEPD that CAIXABANK (then BANKIA) had established procedures for guarantee the traceability of all the consents granted by the interested parties and their status at any given time. Thus, as stated in the Home Agreement, during the inspection carried out by the inspectors of that AEPD records the performance of the following diligence: “Access is gained through a BANKIA employee user code and password to the data of the consents provided by one of the people present in the room, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 30/117 client of the entity, verifying that the document of Treatment of Personal Data (TPD) dated May 21, 2018. It is accessed also to the modifications made later on the consents (MTA documents) as well as the current status of consents.” That is to say, the interested party enjoys absolute freedom to, whenever he considers it relevant, provide your consent or revoke any of the consents previously provided in a simple way and capable of being fully accredited, without conditioning, let alone undermining, in any case, the freedom of their election nor is the tenor of the same linked to the continuity of the service provided to the client by CAIXABANK. Consequently, in the event that the client does not want to grant their consent during the contracting process, or consider it opportune to revoke at a moment after the consent previously given, it can be carried out in a entirely free and without the imposition of any difficulty on it, without this preventing nor in any way the formalization of the contract or its formalization in conditions of a less beneficial nature than those others that consent for any or all of the intended purposes. Second, the non-provision of consent or the revocation of the consent previously given does not imply in any case the production of a prejudice to the interested party or the imposition of any type of burden or encumbrance, given that the contract will continue to govern CAIXABANK's relationship with its customers under the same clauses, without being affected in any way the provision of customer service. And it is that, as it has been indicated previously, in no moment the provision of the service is conditioned to the provision by the interested party of your consent, a sine qua non condition for the application of article 7.4 of the RGPD invoked by the Home Agreement, since the provision of consent does not does not affect the way the service is provided or the content of the relationship, nor does it imply nor any additional tax for the interested party. On the contrary: the provision of consent implies a benefit for the client, to the extent that he is exempt of the payment of some commissions that, as indicated above, are a integral element of the contractual relationship that links CAIXABANK with its client. In short, the client does not suffer any damage as a result of not having given their consent, given that in no case does this imply a aggravation of the general conditions that govern the contract, but simply the no exemption from the payment of commissions associated with the services provided that they appear in any case associated with it. In this regard, it is also worth recalling the analysis carried out by the EDPB in its Guidelines on the concept of “harm”. Thus, the EDPB points out in the aforementioned Guidelines (§13) that consent will not be truly free if the data subject “is feel compelled to give consent or suffer negative consequences if they do not give it” adding later (§14; emphasis added) that the consent “will be invalidated by any improper influence or pressure exerted on the interested (which can manifest itself in very different ways) that prevents this exercise your free will." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 31/117 And, in particular (§24): “[…] consent can only be valid if the interested party can really choose and there is no risk of deception, intimidation, coercion or significant negative consequences (for example, substantial additional costs) if does not give his consent”. Well then, the application of these criteria makes it difficult to assume and defend the thesis supported in the Initiation Agreement, from which it would be inferred that the entity claimed would condition or exercise improper influence over its clients by subjecting them to "significant negative consequences" for the mere fact of not granting them a benefit to which, in general, they would not be entitled any. And it is that even, in line with what has just been exposed, attention must be paid to what pointed out in example 6 of the EDPB Guidelines, to which the Agreement of Beginning and that, nevertheless, describes a supposition that in no case bears relation with which it is the subject of this sanctioning procedure. Indeed, in the aforementioned For example, the EDPB states the following (emphasis added): “A bank asks its customers for consent so that third parties can use your payment details for direct marketing purposes. This processing activity is not necessary for the execution of the contract with the client and the provision of the usual bank account services. If the client's refusal to give his consent to said treatment gave rise to the refusal on the part of the bank of provide their services, at the closing of the bank account or, depending on the case, to a increased commissions, consent could not be freely given.” In this way, the EDPB indicates that the consent could be considered not to have been freely granted in those cases in which the bank (i) does not proceed to the opening of a bank account to the client due to the fact of not having lent his consent (thus conditioning the signing of the contract to the provision of a consent that does not refer to the object of the same, but to "other matters", in terminology of article 7.2 of the RGPD); or (ii) there is an increase in the commissions that said client must pay in relation to the contracted products (that is, imposing a lien on him for the non-provision of consent). But even in this second case, which, as has been indicated, does not concur in this case, it should not be forgotten that not even the EDPB establishes an unconditional rule, rather, it points out that it could be appreciated that the consent would not be free “if the refusal of the client to give his consent to such treatment would give rise […] depending of the case, to an increase of the commissions”. Well, aside from what is indicated in relation to the concept and nature of the commissions in the cases of payment accounts, it is evident that in this case there is no None of the assumptions described in the cited example concurs, to the extent that the client can, in any case, contract a certain banking product without need to give your consent and in no case is there an increase in commissions associated with the service provided, since they appear expressly provided for in the contract. There is definitely no increase in said commissions, but the non-application of an exemption. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 32/117 And it should not be considered that what has been argued so far can be refuted considering that the non-granting of an exemption in the payment of commissions implies the generation of damage, given that both situations are incompatible: in the In the first case, the status quo would be the payment of commissions, which is discounted in if consent is given. On the contrary, the imposition of a levy would mean that the commissions would be increased as a result of the non-provision of consent, which does not happens in this case. In this way, an interpretation similar to the one maintained in the initial agreement would lead, for example, to consider that the loss of the requirements that allow a taxpayer enjoying a tax exemption or deduction supposes the generation of a loss, consisting of the payment of the tax, to which it has always been subject. Reference should also be made to the "European Legislation Manual on data protection”, adopted by the Agency for Fundamental Rights of the European Union and the Council of Europe, in collaboration with the European Court of Human Rights and the European Data Protection Supervisor, where states, in relation to the free nature of consent, the following: “This does not mean, however, that consent can never be valid in circumstances in which the lack of consent would have some consequences negative. For example, if the consequence of not consenting to have a customer card of a supermarket is only that they will not be received small discounts on the prices of some products, consent could be a valid legal basis for processing the personal data of those customers who give their consent to have said card. There is no subordination between company and the client, and the consequences of the lack of consent are not what serious enough to limit the data subject's freedom of choice (as long as the price reduction is small enough not to affect such freedom of choice). From what has just been reproduced it is clear that, if the provision of the consent supposes the establishment by a person in charge of the treatment of discounts on the prices of their products, which would not be obtained if the consent to treatment, this consequence would not have any relevance that would make the aforementioned consent lose the condition of free, because it would not fit assess the existence of a detriment to the interested party. And this case is similar in all points to the one analyzed by the Initiation Agreement in that, necessary is to reiterate it again, there is no reduction of the rights of CAIXABANK customers for not having provided the consent to the processing of your personal data, but simply will produce the application, in that case, of the ordinary conditions of the contract. In short, in the alleged object of this proceeding there is no type of damage to the interested party as a result of the refusal to lend their consent for the processing of your personal data that may affect negatively in its configuration of "free consent", since the only thing that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 33/117 foreseen in the conditions of the contract is to obtain a profit on the basis of these general conditions in case that consent is given. No it is therefore possible to equate, as the initial agreement intends to do, obtaining a benefit with the imposition of a tax on those who freely choose not to avail themselves of to that one. 3. Inexistence of conditionality to the consent of the interested party for the hiring of services. As previously indicated, the Start Agreement considers that in the In this case, there has been an alleged violation of article 7.4 of the RGPD referred, as already anticipated, to the fact that “the execution of a contract, including the provision of a service, is subject to the consent of the processing of personal data that is not necessary for the execution of said contract". In relation to the application of this rule, the Initiation Agreement takes into account consideration for the interpretation of the precept indicated by the recital (43) of the RGPD, which indicates that "it is presumed that the consent has not been given freely when […] the performance of a contract, including the provision of a service, is dependent on consent, even if consent is not necessary to such compliance” But it is that the presumption that is included in this precept, and that in any case does not could be considered iuris et de iure, as the AEPD seems to understand, by not justifying in In any way, the application to the case of the aforementioned recital of the RGPD, would not be in any way applicable to the assumption that is being analyzed here, given that in the itself there is no conditionality as described in article 7.4 of the RGPD (with which the aforementioned recital 42 of the RGPD is related), since the provision of consent is not a sine qua non condition for signing the contract, with the client being able to contract the services of CAIXABANK without the need to proceed to the provision of consent and without being in any way affected the services that will be provided to it, which will be the same in one case or another, to the completely regardless of the provision or not of the aforementioned consent. Indeed, we are not faced with a case in which the non-provision of the consent conditions the contracting of services, as in the case of first of the examples incorporated into the EDPB Guidelines, and reproduced by the Home Agreement, since it refers to a situation in which there is no allows users to make use of a certain service when the interested parties do not give their consent for a treatment not directly related to the itself, something that under no circumstances happens in the case at hand since, as has been indicated, customers can freely contract the services of CAIXABANK without the need to grant consent to the processing of your data personal. Let us remember that according to the cited example, the use of a mobile application for photo editing to which the interested party lends his consent to the activation of your GPS location for the use of its services, in such a way that if it is not carried out, it is not possible to use the application. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 34/117 And at this point, what is indicated by the EDPB in § 37 of its Guidelines, which states the following: "The data controller could argue that your organization offers stakeholders a real choice if they could choose between a service that includes consent for the use of personal data for additional purposes, and an equivalent service offered by the same responsible that does not imply giving consent for the use of data for purposes additional. Whenever there is a possibility that said person in charge of the treatment execute the contract or provide the contracted services without the consent for the other use or the additional use of the data in question, it will mean that there is no longer service conditionality. However, both services must be really equivalent.” Well, it is not only offered to those who have not given their consent for the processing of data as part of the so-called "digital profile" a service equivalent or similar to the one provided to those who have agreed to the provision of said consent, but simply and simply offers them the same service that the one that lends to its clients with a “digital profile”. That is, the financial product that one and the other will be able to contract will be the same and not simply an equivalent one, and the services provided will be exactly the same in both cases. In this way would be fully applicable to CAIXABANK what is indicated in the transcribed text of the Guidelines, since there is no conditionality for hiring the customers of the services related to the controversial products to the provision consent to the processing of your personal data. And it is that, in no way is it possible to consider, as seems to emerge from the tenor of the Home Agreement, that there is no full identity between the contracted services by those who give consent by holding a "digital profile" with respect to those who do not provide the same, because the services offered, associated with the accounts that are cited in the Initiation Agreement, are exactly the same and also The elements that will integrate the contracts in which the contracts are formalized will be the same. aforementioned services, including commissions, even when in the event that the user holds the so-called "digital profile" these commissions will be discounted in the full amount as long as the "digital profile" is maintained. The interpretation of the concept of equivalence contained in the guidelines of the EDPB cannot be as forced as the one that seems to derive from the Start Agreement, in which said concept becomes synonymous with “complete identity”, so that the simple fact of setting a bonus in the amount of the benefit to satisfied by the client may lead to the consideration that the subsidized service and the non-reduced are not "equivalent" because they are not "completely identical". In such a case, it understands that it would incur in the manifest contradiction that would be considered by the AEPD that the same supplier would simultaneously offer two identical products or services by the sole fact that the same product or service was offered with and without any bonus as a result of the fact that the interested party gives his consent. This would inevitably contain an evident sophism that would empty of content any offer or promotion that could apply a private entity if it is related to the consent given, given that in In the opinion of the AEPD there would not be a bonus, but rather the offer of a different product, even if the content of the services were to the full extent identical. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 35/117 And it should be noted that even the EDPB rejects such an interpretation, for since, as will be pointed out later, it does not consider it contrary to article 7.4 of the RGPD the possibility that the person in charge of the treatment can offer its clients incentives or additional benefits in case the treatment is authorized of your personal data, which implicitly implies accepting that there is no difference between the provision of the incentivized and non-incentivized service, therefore, even to a lesser extent, both services may be considered non-equivalent. But it is that even, and even if it were not considered that there is an absolute identity in the provision of the service regardless of whether the interested party grants or not consent to the processing of your data, it should also be remembered that they are not the only ones that make up the catalog of products or services consisting of payment accounts, in the legal concept of said term. This is recognized by the Home Agreement itself when it states that it sells through of its digital platform the three financial products referred to in the procedure within the general offer of other similar products, equally marketed by the entity. Thus, the Agreement indicates that "the entity claimed, has marketed, through its digital platform (www.bankia.es), among others, three financial products: ON Account; ON Payroll Account and UN&DOS Account, along with their associated debit cards. It also sells a credit card (Card Credit ON), which must be associated with an open ON Account”. By way of example, he points out that it makes it easier for potential clients to contract, if they so wish, other financial products such as the Easy Account, the Youth or the Basic Payment Account. As has already been said, the rule indicated by the EDPB would be applicable even when the services share purposes and substantial characteristics, even when it is not possible to determine their absolute identity. In this sense, and from the perspective of economic theory, also applicable to the competition law, it should be remembered that substitutability between two products and services concurs in the cases in which a consumer can access immediately, in the event of a change in the current price of the original product, to its substitute product. This substitutive character of the product in no case supposes a perfect and total coincidence of all the characteristics of the products or services, but its possible indistinct use by the consumer. Thus, the characteristics of the aforementioned financial products, although they are not identical to those that would concur in the three products analyzed in the Home Agreement, they can be considered without any kind of doubt similar or equivalent to these. And the fact is that the equivalence lies in the fact that they provide the interested party with the possibility to passively capitalize the different amounts of money that you decide to deposit in such financial products without depriving you of direct access to your funds, developing all the services that participate in the nature of the contracts related to the holding of payment accounts, in the terms established by internal and European Union regulations, analyzed in detail in section 2 of this allegation. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 36/117 It concludes that taking into account the very wording of article 7.4 and considering 42 of the RGPD, as well as the tenor and logic of the Opinion of the EDPB, considers that yes provides a free choice to those interested in contracting their different liability products and, in particular, to opt for contracting the accounts of disputed payment in this file with absolute independence of the provision of your consent to the processing of your personal data. 4. Additional considerations about the freedom of consent given in accordance with the doctrine of the EDPB and that AEPD. Starting from what has been argued so far and, consequently, taking into account that the exemption from the payment of commissions cannot in any case be considered a damage, burden or encumbrance for the interested party, without being conditioned in any way the provision of the services that make up the controversial products to the granting of consent by the interested party, it is necessary to indicate that neither the personal data protection regulations or the interpretation of the same performs the EDPB consider inadmissible or contrary to freedom in the provision of the consent to the granting of benefits, promotions, incentives or improvements of the services in case the interested party provides the same. Thus the EDPB declares in its Guidelines (§ 48) that “the RGPD does not exclude incentives, but it would be up to the data controller to demonstrate that the consent has continued to give freely in any circumstance”. In this way, the EDPB considers perfectly admissible the connection of the consent with the obtaining of an incentive as long as it is possible to prove the concurrence of the note of freedom in the consent, something that as it has come indicating up to this place does occur in this case. In this sense, it seems relevant to refer to the opposite sensu, to the example incorporated as 8 by the EDPB in its Guidelines, which states the following (the underlining is ours): Example 8: When downloading a style application from life for mobile phone, the application asks for consent to access the phone accelerometer. This is not required for the app to work, but It is useful for the data controller who wishes to know more about the movements and activity levels of its users. When later the user you withdraw your consent, you discover that the application only works in a limited way. This is an example of injury within the meaning of recital 42, i.e. that the consent was not validly obtained […]” . In this case, the incompatibility of the incentive offered with the RGPD would lie in the fact that the entity offering the application limits the operation of the application itself application. And this case is diametrically opposed to the one tried in this proceeding, for when the free decision not to give consent in any way affects the provision to the client by CAIXABANK of all the services that make up the contract signed by the interested party. The only consequence of not paying the consent to the processing of your data is the ordinary development of the contract in Regarding the consideration that, as an element of the same, has been incorporated into C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 37/117 that, and which consists of the payment of the appropriate commissions, in the terms established in domestic and European Union law. Finally, and in line with what has just been indicated, it should be taken into account that, as indicated by the AEPD itself in Report 0292/2010 of its Legal Office, the attribute of "free" consent required implies that the same “must have been obtained without the intervention of any vice of the consent in the terms regulated by the Civil Code. Thus, to presume, as the Initiation Agreement does, that the consent provided in the present case has been subject to the existence of coercion in the free will of the interested parties as a result of the mere circumstance of grant a benefit as a result of its granting, such as the exemption in the payment of commissions, would de facto imply that the AEPD, exceeding completely of the powers granted by the regulations for the protection of data, it would consider itself competent to assess for itself the possible invalidity of a contract in which incentives or benefits are established, when appreciating the existence of a vice in the consent given by the clients, thus entering to assess the validity of a contract, an issue that only concerns the member bodies of the civil jurisdiction. Fourth.- On the consents obtained from the clients who contracted the controversial products through the online channel between July 8 and December 15. August 2018. It alleges that CAIXABANK has never denied that, as a consequence of adaptations carried out in BANKIA's information systems such as consequence of the establishment of a new list of consents, in order to unify those that had been obtained by the different entities that were finally integrated in it, there was an incident in its systems, whose duration is the specified in the Startup Agreement, by virtue of which the consents of the Interested parties appeared pre-marked by default, so that if they were not no action be carried out by the interested party who contracted the accounts disputed in this file, the option that the consent had actually been given. This incident was reported knowledge of that AEPD on the occasion of the inspection visit made on the 12th of December 2019 and analyzed in detail in the letter of the same dated June 18, 2020, in response to the request made by the AEPD. However, in the first place, it alleges the inadmissibility of the sanction for application of the “non bis in idem” principle. The AEPD considers in the Start Agreement that at If the boxes marked by default are not found, a violation of the Article 6 of the RGPD because, not being the consent lawfully obtained, lacks a legal basis that supports the treatment in accordance with the aforementioned precept. On the other hand, and recapitulating what was stated in the third allegation of this writing, the AEPD has considered that all the consents given by the customers who contracted the controversial products in their day have been collected without complying with the requirement that said consent be free, appreciating the Agency the existence of an alleged violation of article 7 of the RGPD, whose C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 38/117 non-existence CAIXABANK has already accredited in accordance with what was argued in the aforementioned allegation. Well, if the reasoning of the AEPD were followed in relation to the latter infraction, the non-existence of a consent that fulfilled all the requirements established in the personal data protection regulations (what this party, it is obvious to reiterate, flatly denies) would lead to an alleged violation of the Article 6 of the RGPD, since, in the opinion of the AEPD, the consent obtained the processing of personal data would have been carried out carried out without a legal basis for it. Thus, the AEPD considers, in relation to the totality of the clients who contracted these products, that the treatment of their personal data is contrary to the provisions of article 6 of the RGPD, by not consider that the consent given by said clients may be a valid consent for the purposes of the aforementioned regulations. For its part, in relation to the infringement that is now being referred to, the AEPD considers that the consent of the clients who contracted these products through the online channel on the dates between July 8 and December 15. August 2018 is not valid because the boxes are pre-marked, but at own time has already considered, in accordance with what was reasoned in the foundation of second right of the Home Agreement, that this consent was not valid (regardless of whether the boxes were pre-marked or not) by not being able to considered, always in the opinion of that AEPD, that the consent given is free. In this way, the AEPD would be doubly sanctioning the lack of a legal basis for the treatment of the personal data of the clients who have contracted the controversial products through the online channel on the dates between 8 July and August 15, 2018, given that, on the one hand, it affirms that the consent granted is not valid because it is not free and, secondly, that said consent It is not valid because the boxes are pre-marked. In this way we would find ourselves before a situation in which the AEPD would proceed to imposition of two sanctions for the violation of the same precept in relation to a same consent given, understanding that this consent is, according to your criterion, doubly violating the rules required for consent and, therefore, doubly considered lacking sufficient legal basis. Consequently, they would be sanctioned twice for the commission of the same facts (treatment without legal basis for it because, in the opinion of the AEPD, the consent) in relation to the treatment of the data that they would have authorized who contracted the products on the dates that have been reiterated in this allegation, with the consequent and blatant breach of the non bis in idem principle. And to this it is not possible to oppose the fact that the Initiation Agreement invokes as infringed, respectively, articles 7 and 6 of the RGPD, since the alleged infringement of the Article 7 of said legal text implies, ultimately, the same principle of protection of data that the considered infringement of article 6, that is, the principle of legality of the treatment, regulated in article 5.1 a) of the RGPD, since in both cases what comes to sanction is the alleged absence of an adequate legal basis for the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 39/117 treatment of personal data, considering that the consent of the interested has not been, always in the opinion of the AEPD validly provided. In this way, if the AEPD, in view of what has been stated by this party, considers concurrent in the treatment of the data of all the clients who contracted the BANKIA products subject to the exemptions derived from the maintenance of a “digital profile” the infringement referred to in the third allegation of this writing, said infraction would subsume the one that is now being analyzed, for application of the ne bis in idem principle, so it would not be possible to impose, with respect to of the customers who contracted the products through the online channel between the 8th of July and August 15, 2018, a double violation of the same principle of protection of data, as intended by the Start Agreement. Secondly, it alleges that incidence has produced a minimal repercussion on the customers as an essential criterion to assess their responsibility. It alleges that the incident affected a total of 2,562 customers, of which only 812 (one 0.009% of BANKIA's customers) would have been really affected by it, as it is not materially possible, despite displaying an extreme level of diligence, manage to contact them, as they are inactive clients who have not interacted with the entity through the channels that it makes available and that they have not made any movement or activity in their accounts since the moment in which said entity, aware of the incidence produced, has tried to repeatedly contact them. He affirms that, as already revealed in the inspection carried out on the 12th of December 2019 and also detailed in his letter addressed to that AEPD on 18 June 2020, all necessary actions have been taken towards the resolution of the incident and to have only the consent of those who effectively, freely, consciously and without any type of conditioning, such as that the boxes appear pre-ticked by default, were provided by their clients. The Home Agreement itself lists in its thirteenth fact the aforementioned measures, in the following terms: “The consents have been requested again customers who have not modified them, taking advantage of the first interaction with the entity through any of the authorized channels (branch, Bankia Online or App Bankia). This obtaining of the new consents, from a neutral position to the option of acceptance or non-acceptance that in each case is chosen by the interested party for each of the requested consents, has been configured as necessary step to be able to continue the operation through any of the channels. Those clients who have not passed this process have been considered as customers who have not given their consent to the entity regardless of the meaning of the consents they provided in the registration process of the On account, and have been marked in systems as having denied all consents. All On account holders were informed, in December 2019, of the change of conditions of the digital profile, and the elimination of the requirements of having authorized C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 40/117 the sending of commercial communications and the transfer of data for the purposes of collection or fee waiver. Contact has been made by telephone (through the corresponding managers) with the clients who have not modified consents; in the case of the 812 clients who have not yet passed the process, although attempts have been made to contact them on several occasions, the result has been unsuccessful. The cancellation process of those inactive and inactive accounts has begun in the last few months.” It is evident from the measures described that it was deployed in a immediately how many actions were necessary to guarantee that the consents lent were with absolute freedom and without any conditions, deciding finally consider denied the consent of those who, after repeated attempts carried out, they could not be contacted or interacted in any moment with it. This measure was definitively adopted in May 2020, as stated in the Initiation Agreement, even though since October 16, 2019 it was removed from the necessary conditions for the exemption of commissions in the products controversial the provision of consent for the processing of data as part of the so-called “digital profile”. He acknowledges the incidence produced, but considers that the diligence with which he adopted measures aimed at minimizing the effects of the infringement, should be grounds enough for the AEPD to exempt him from guilt or, in the worst case, warns his entity for the acts committed. NINETEENTH. Access to the consolidated annual accounts of the group Caixabank, available at ***URL.2, on page 249 of which it states that the volume of group business in 2020 is 12,172 million. TWENTIETH: On December 20, 2021, a resolution proposal was issued in the following meaning: FIRST: That the Director of the Spanish Data Protection Agency sanction CAIXABANK, S.A., with CIF A08663619, for an infraction of article 6 in in relation to 7 of the RGPD, typified in article 83.5.a of the RGPD, with a fine of 2,000,000 euros (two million euros). SECOND: That the Director of the Spanish Data Protection Agency sanction CAIXABANK S.A., with CIF A08663619, for an infraction of article 6 of the RGPD, typified in article 83.5.a of the RGPD, with a fine of 100,000 euros (one hundred a thousand euros). TWENTY-FIRST: Electronically notified to the entity CAIXABANK S.A. the mentioned resolution proposal and accepted the notification by said entity dated December 22, 2021, dated December 23, 2021 had entry in this Agency letter in which an extension of the term to formulate allegations was requested. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 41/117 Once the extension of the term was granted, on January 13, 2022, the this Agency written of allegations, in which it is requested again that it be declared the nullity of full right of the procedure for the reasons described in its first allegation, subsidiarily that its file be agreed and subsidiarily to the file that the sanction of warning enshrined in article 58.2.b) is imposed) of the RGPD or, failing that, a significant reduction in the amounts established in the proposed resolution in response to what is stated in the fourth allegation. It reiterates all of its allegations to the initial agreement and formulates the considerations that, in summary, are set out below: FIRST. CONCURRENT VICES OF NULLITY IN THE PRESENT PROCESS. 1. On the radical nullity of the procedure as a consequence of the fixing of the amount of the penalty in the startup agreement. He points out that he already made clear in his allegations to the Initiation Agreement the manifest helplessness that had been caused to him as a consequence of the fixation in the same of the amount of the sanction that, in the opinion of that AEPD, proceeded to impose in this proceeding, and this on two fundamental bases: • The AEPD has proceeded to assess the degree of guilt of CAIXABANK and of the circumstances that affect him, and this assessment has been made in audit party, without having had the opportunity to make any statement or make the most minimal evidence in defense of their right, thus being deprived of their right to defending. • This assessment is carried out by the competent body itself to resolve the this procedure, that is, the Director of the AEPD, who in her Start Agreement specifically indicates to the instructor of the procedure what is the reproach that, in his opinion, judgment, will have to appreciate in the conduct of CAIXABANK and what are the circumstances that affect his guilt, which supposes a manifest interference of the sanctioning body in the inspection action and a dilution of the phases of instruction and resolution of this sanctioning procedure, with the consequent damage to that entity. Considers that it is evident that, once the existence of an obvious defenselessness, by dispensing with the guarantees granted by the regulations governing the sanctioning procedure, with the consequent breach of their right to guardianship effective legal action, applicable, mutatis mutandis, as has been manifestly reiterated by the jurisprudence of our Constitutional Court, to the administrative procedure sanctioning, it is becoming clear that the vice of nullity has been incurred enshrined in article 47.1 a) of the LPACAP, since they have resulted injured the rights and freedoms subject to constitutional protection, something that Even though it is obvious, the Proposal considers that it is not sufficiently clarified, so it reiterates Based on the foregoing, the Motion for a Resolution states, first of all, that the in audit evaluation part of the concurrent circumstances in the case and, in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 42/117 Consequently, the determination by the competent body to sanction the amount of the sanction proceeding prior to the investigation of the matter derived directly and immediately of what is established in article 64 of Law 39/2015, of 1 October, of Common Administrative Procedure of the Public Administrations (in hereinafter, "LPACAP"), not without sinning, however, of a manifest contradiction, when be indicated, as is done in the Resolution that the action of the AEPD "goes further" than provided in the standard. And it is that, indeed, the AEPD indicates in the Proposal that the setting of the amount of the sanction that would proceed to impose the defendant is a requirement of the provisions of the Law, but at the same time considers that it is not, since it seems to indicate that, a completely ex gratia and beneficial way for the defendant, the AEPD has decided to "go beyond" what is established in the norm, granting a kind of benefit to the company, even when this is at the cost of undermining the rights enshrined in article 24 of the Constitution. The Resolution Proposal also considers that the determination of the amount of the sanction, and the consequent evaluation of the concurrent circumstances in the case comes from the option, granted to the defendant by the LPACAP to proceed with the payment anticipation of the sanction and the acknowledgment of concurrent guilt in their conduct, established in article 85 of the LPACAP, with the consequent reduction of the amount of the sanction. The literalness of this rule does not imply, in CAIXABANK's opinion, an authorization to the sanctioning body to prejudge the case by proposing ab initio the amount of a sanction, given that this violates the most elementary principles of sanctioning procedure with the consequent breach of the rights of the defendant in said procedure. Indeed, article 85.1 of the LPACAP does not require prior determination of the sanction, given that nowhere does it refer to a sanction pre-established (what would happen in case of its fixation at the time of initiation of the procedure), but to the imposition of the sanction that proceeds. That is, the norm that in any case is applicable "initiated the procedure", provides for the possible acknowledgment of responsibility that may determine the imposition of the sanction “proceed”, in such a way that this fixation seems to be foreseen after the actual acknowledgment of responsibility. But in addition, article 85.3 provides that the reductions must be adopted on the “proposed” sanction, which requires that it has actually been determined within the of the procedure, after hearing the administrator, what is that amount, what literally leads to the conclusion that it will be the motion for a resolution, for Regardless of what is stated otherwise in the Motion for a Resolution, the right time for the determination of the aforementioned amount, since the Start Agreement is not the ideal place to "propose" the imposition of a sanction, but to simply initiate the processing of the procedure. The AEPD tries to justify in the Resolution that it is not the resolution proposal but the home agreement the appropriate place for fixing the amount of the penalty. Without However, the AEPD forgets that there is a substantial difference between both moments of the procedure, given that the defendant will already have been able to be heard and his arguments taken into consideration in the motion for a resolution and that, furthermore, said C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 43/117 proposal will have been able to be freely adopted by the competent body for the instruction, thus not producing any influence of the sanctioning body on the instructor performance. Indeed, the interested party does not have, prior to the Start Agreement, the right enshrined in article 53.1 e) of the LPACAP, which may only be exercised after that moment, and this circumstance, far from being interpreted in the sense that contained in the Resolution Proposal (considering for that reason lawful the fixation in audit part of the amount of the “proposed” penalty), what it reveals is the manifest and blatant defenselessness caused to CAIXABANK, given that the amount of the “proposed” sanction is given prior to the processing of the procedure and the possibility of alleging what his right agrees in it to in order to be taken into account in the assessment of the concurrent circumstances in the case And it is that, contrary to what the appealed Resolution indicates, in that it seems assert that fixing the amount of the infringement is a benefit granted to CAIXABANK, by going “beyond” what is established in the LPACAP, the determination in audit part of the amount of the sanction and the determination by the AEPD of the concurrent circumstances in the case without the defendant having had the most minimal opportunity to argue what is appropriate to his right, could never be considered as such a benefit, given that in no way can it be considered that a violation of CAIXABANK's right to defense may in no case be considered nothing less than a benefit. In this way, the contradiction is incurred in considering that the non- CAIXABANK having made use of the alleged benefit that was generated, in application of article 85 of the LPACAP becomes a reason for not being able to invoke the violation of their rights derived from the erroneous interpretation that the AEPD makes the aforementioned standard. Thus, the violation of the presumption of innocence in which the Initiation Agreement incurs would be remedied as a consequence of the fact that CAIXABANK has not paid the penalty in advance, incurring the paradox that to enjoy the benefit granted by article 85 of the LPACAP the defendant must bear the bankruptcy of such a fundamental right. Indeed, the defenselessness caused to CAIXABANK by the actions of the AEPD in this case could not be considered corrected by the fact that it could have make objections to the initial agreement. And this is so because the mere fact of his formulation implies an increase in the amount that would be forced to pay, for as the AEPD does not recognize the defendant the possibility of exercising the option contained in article 85.1 of the LPACAP (that is, to admit their guilt at any time of the procedure) in case it has issued arguments to the initial agreement. Point out the difference between the initial agreement and the resolution proposal since in the first the acknowledgment of responsibility is allowed within the term to exercise allegations, which entails a reduction of 20% of the sanction and is instructed that at any time prior to the resolution of the procedure, may carry out the voluntary payment of the proposed sanction, in accordance with the provisions of article 85.2 of the LPACAP, which will mean a reduction of 20% of its amount. You are also told that the reduction for the payment C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 44/117 voluntary of the sanction is cumulative to the one that corresponds to apply for the acknowledgment of responsibility, provided that this acknowledgment of responsibility is revealed within the period granted to formulate arguments at the opening of the procedure. It states that, however, proposed resolution establishes only that "in accordance with the established in article 85.2 of the LPACAP, you are hereby informed that you may, at any prior to the resolution of this procedure, carry out the payment voluntary of the proposed sanction, which will mean a reduction of 20% of the amount thereof”. He considers that the defendant sees himself in the position of (i) either admitting his guilt to limit to achieve a reduction in the amount of a sanction set in audita parte; or either (ii) exercise the rights granted by the Constitution and the laws, although this will entail a cost, in your case, of 420,000 euros, as you can no longer enjoy the first of the benefits granted by article 85 of the LPACAP. That is, for the AEPD the mere fact of exercising the right of defence, which would allow the Administration acting to really know, in view of what could be contributed by the defendant, the concurrent circumstances in the case and properly determine the amount of The sanction that could proceed to impose, must carry an economic cost, certainly excessive (420,000 euros), for the accused, which, obviously, It supposes a radical violation of the rights that attend it. The consequence of all the above is that there is a radical defect in the processing of this sanctioning file, derived from an interpretation contrary to the Constitution of articles 64 and 85 of the LPACAP, which affects the nullity of the procedure, having violated the fundamental rights of CAIXABANK, as and as established in article 47.1 a) of the LPACAP. 2. Regarding the defenselessness caused to CAIXABANK as a consequence of the Fraudulent prolongation of the investigative actions. It alleges that it already revealed in the allegations to the Initiation Agreement the concurrence in the investigation phase of this proceeding of an accumulation of irregularities that necessarily led to the generation of a blatant defenselessness, and a fraudulent use by the AEPD of the faculty attributed to it by article 94.5 of the LRJPAC, to the detriment of the rights CAIXABANK. Affirms that, as indicated in the Motion for a Resolution, the transfer to the delegate of data protection, for the purposes of deciding on the admission to processing of the claim “although it is optional for the AEPD, it comes to suppose a guarantee for the claimed party, who is given the opportunity to present the reasons for its action against the claim made and, where appropriate, the corrective measures taken in order to put an end to a possible non-compliance with the legislation of data protection, prior to its admission or not for processing” In other words, the aforementioned transfer aims to guarantee the rights of CAIXABANK in this case, so that the AEPD can determine whether or not to proceed with the procedure, agreeing, in accordance with article 65.1, that prosecution in relation to the facts denounced and the possible violation of the rights of the interested parties in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 45/117 regarding the protection of your personal data, either by carrying out of inspection actions aimed at clarifying either, in the event of find the same sufficiently accredited, by opening the corresponding sanctioning procedure (article 64.2 of the LOPDGDD). However, in the present case we find two situations that seem contradict what was argued by the AEPD in its proposal: • In the first place, the admissions for processing do not appear anywhere in the file. of the claims made by Claimants 1, 2 and 3, stating only those referring to Claimants 4 (on August 14, 2019, folio 405 of the file), 5 (on August 14, 2019, folio 411 of the file). 6 (on the 19th of September 2019, folio 472 of the file) and 7 (on April 28, 2021, folio 785 of the file). • Secondly, the facts about which the seven claims made against my principal were already subject to inspection actions, initiated on the initiative of the AEPD (as indicated the Motion for a Resolution) on February 21, 2019 (folios 5 and 6 of the file). That is, on the dates on which the claims were admitted for processing. with respect to which this agreement existed (which are not those presented in the first place, but only the last four of those presented), the transfer made by the AEPD to CAIXABANK made absolutely no sense, since whatever it was the response that it offered in relation to the aforementioned claims, the facts to which they referred were already being investigated by of the AEPD. Consequently, even when the AEPD states that they intended to reinforce the rights of CAIXABANK in order to decide whether or not to proceed with the procedure referring to the claims made, the truth is that the decision already had been adopted by means of the agreement of February 21, 2019. Therefore, the transfer of the claim became a merely bureaucratic process whose decision was already had been previously adopted, since in case of inadmissibility of the claim, the AEPD would be going against its own acts, consisting of the start of the investigation on February 21, 2019. This is also helped by the fact that the AEPD denies any relevance to the mentioned admission agreements for processing, which do not display any effect on the terms provided for in article 64 of the LOPDGDD. Indeed, these agreements do not determine neither the carrying out of investigative actions nor the opening of any sanctioning procedure, for the mere fact that these actions, with respect to which the AEPD considers admission to be so relevant, it is already were in progress, limiting themselves to agreeing, as recorded in the records facts of the Initiation Agreement and the Resolution Proposal, their accumulation to those investigative actions (even though the file does not even show the agreement by which such accumulation took place). Proof of this is that the very AEPD is aware that the dies ad quem for the completion of the maximum period of duration of the investigative actions is none other than February 21, 2020, in which the term of one year has elapsed since its opening. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 46/117 Second, the Motion for a Resolution limits itself to invoking article 95.4 of the LRJPAC, indicating that it attributes the power to carry out a kind of of reopening the investigative actions in case it deems it pertinent, no matter how much the LOPDGDD establishes a maximum term of duration of the investigative actions. Certainly, the aforementioned precept establishes that “[t]he expiration will not produce by itself the prescription of the actions of the individual or of the Administration, but the expired procedures will not interrupt the statute of limitations”, adding that “[i]n the cases in which it is possible to initiate a new proceeding for not prescription has occurred, the acts and procedures may be incorporated into it. whose content would have remained the same had the expiration not occurred. On In any case, in the new procedure, the formalities of allegations, proposition of evidence and audience with the interested party”. For its part, article 67.1 of the LOPDGDD is clear in indicating that “[b]efore the adoption of the agreement to initiate the procedure, and once the application has been admitted for processing, claim, if any, the Spanish Agency for Data Protection may carry out carry out preliminary investigation actions in order to achieve a better determination of the the facts and circumstances that justify the processing of the procedure, adding exhaustively its section 2 that said actions "may not have a duration of more than twelve months from the date of the admission agreement pending or from the date of the agreement by which its initiation is decided when the Spanish Agency for Data Protection acts on its own initiative. Well, if the special rule applicable to the performance of the AEPD establishes completely emphatic that the investigative actions “may not have a duration greater than twelve months”, this rule must be the only one applicable to the this procedure since the LOPDGDD itself establishes that the application of the regulations governing the common administrative procedure is only subsidiary application to the procedures processed by the AEPD. I mean, I don't know it is only that the LRJPAC is not applicable as a consequence of the fact that be the LOPDGDD the special rule regulating the procedure; is that its own LOPDGDD states in its article 63.2 that “[t]he procedures processed by the Spanish Agency for Data Protection will be governed by the provisions of the Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures” And this does nothing but highlight the contradiction in which the Proposal of Resolution when at the same time it indicates that the special legislation that results of application to the procedure establishes a maximum term of duration of the inspection actions, but at the same time considers that said term strictly established must be interpreted in the sense that the duration may always be superior, under penalty of preventing the application of article 95.3 of the LRJPAC which, as a rule of subsidiary application to the case, results, precisely because of that reason, inapplicable. Thirdly, it affirms that the AEPD considers the application of the doctrine to be erroneous. supported by the National High Court in its judgment of October 17, 2007 (appeal 180/2006). In the opinion of the AEPD, said doctrine is not applicable to the case C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 47/117 for two essential reasons: (i) it was revoked by the Chamber itself from its judgment of November 19, 2008 (appeal 90/2008); and (ii) predates the establishment of a maximum period of duration of the investigative actions. Well, with respect to the first of the aforementioned reasons, it must be remembered that the judgment of November 19, 2008 was not founded, to modify the criterion of the Chamber, in the fact of considering erroneous the doctrine supported by the previous sentence, but based its doctrine on the documentation provided by the legal representative of the AEPD together with his answer to the demand. In effect, according to the aforementioned judgment: “[…] however, in the present supposed a series of specific circumstances that have to be put of manifest. Thus, the State Attorney notes in the answer to the lawsuit that the delay produced in the processing of the preliminary actions is in the case clearly justified. And this because of the study of the documentation provided by It is clear, unequivocally, the very important increase in cases processed before the AEPD, not accompanied by the same proportional increase in personal resources and resources. Documentation that evidences that among the years 2003 and 2007 have increased the procedures initiated by 108.33% and the resolutions issued by 105.67%, so the delays in said processing, and logically in the previous actions (which increased by 120.03% in the referred period), have not been due to the fraudulent intention of avoiding the expiration of the sanctioning file, but to said significant increase in the work to be carried out by the different departments of the AEPD, which clearly justify the aforementioned delay. Faced with said argumentation of the defense of the Administration, this Chamber considers that such attached documentation effectively evidences the significant increase in the number of cases processed in the AEPD in the last four or five years, which logically has had to imply the consequent extension of the time of duration of processing of the same and, therefore, of its preliminary phase or of preliminary proceedings.” In other words, the doctrine of the judgment invoked by CAIXABANK in its allegations to the Start Agreement is not erroneous nor has it been revoked by the National High Court, but which was nuanced by the same in attention to the very peculiar circumstances derived from the documentary that worked in cars. Precisely, and in order to avoid this anomalous situation for the rights of the investigated, article 122.4 of the Regulation of development of the Organic Law 15/1999, of December 13, established a term exhaustive duration of the investigative actions, which could not exceed a maximum period of twelve months “counting from the date on which the complaint or The reasoned request referred to in section 2 would have been entered in the Spanish Agency for Data Protection or, if there are none, since the Director of the Agency agrees to carry out said actions”, adding that “[t]he expiration of the term without having been issued and notified of an agreement to initiate sanctioning procedure will produce the expiration of the previous actions. That is to say, the successive declaration of expiration and subsequent reopening of the investigative actions followed on its own initiative in a specific case, since this is in flagrant contradiction with the principle of legal certainty and with the guarantees that the legal system grants to the administered, which must not be subject to the perpetual uncertainty derived from the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 48/117 fact that the AEPD may, at the time it deems appropriate, reopen investigation actions for the same facts or directly initiate the penalty procedure. And this is what the LOPDGDD establishes, and nothing else: once a claim has been made, The AEPD has established deadlines for the investigation of the facts, form that after the maximum period set by the legislator in the rule that results of application to the procedure processed by the AEPD, the latter may only agree the expiration of the procedure and not proceed with its reopening, as it is not applicable Article 95.3 of the LRJPAC, as it is a general rule and of subsidiary application to the procedures processed by the AEPD, which establish a strict and limited term of duration of investigation activities. And it is precisely the application of article 95.3 of the LRJPAC that determines what fraudulent action of the AEPD in this procedure in accordance with the doctrine supported by the ruling of the National High Court of October 17, 2007, must prevent the proper application of article 67.2 of the LOPDGDD, which is to avoid, in the terms established by article 6.4 of the Civil Code, through the invocation of a norm that is not applicable. SECOND. ON THE VALIDITY OF THE CONSENT GIVEN BY THE CLIENTS IN THE PRESENT CASE. Declares fully reproduced the allegations made to the Initiation Agreement of this proceeding and affirms that the Resolution Proposal is limited to denying the origin of what is stated in the cited allegations on the mere basis of their simple assessment, incurring throughout his reasoning in obvious contradictions, supporting his criteria in his simple assertion, without carrying out any reasoning to found that one, and contradicting not only the very nature of the current account contract, but even the interpretations themselves made by the EDPB in the documents in which, apparently, it intends to found its sanction resolution. He points out that the AEPD affirms that “this Agency considers that, effectively, the Commissions can form part of the current account contract, remunerating the services provided by the banking entity, as already indicated in the Agreement of Initiation of this procedure”, understanding that in the face of such an affirmation, we can only reiterate that the commissions "can not be part" of the contract, but which are one of the consubstantial objective elements to it, in such a way that in In case of not concurring, the contract may have the nature that you want, but we do not we will find ourselves before a current bank account contract, given that its nature is bilateral and onerous, so that it is not possible to consider that the same "can" exist free of charge or without consideration by the client of the entity, understanding that this conclusion means that the reasoning subsequently followed by the AEPD must necessarily decline: there is no harm in maintaining the conditions of the contract, but only an exemption or benefit derived from the provision of the consents to which reference is being made in this penalty procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 49/117 And it is this circumstance that the EDPB highlights in its "Guidelines 5/2020 on consent in the sense of Regulation (EU) 2016/679” (hereinafter, interchangeably, the “EDPB Guidelines” or the “EDPB Guidelines on the consent"), when in the sixth of the examples he mentions, he points out the following: “A bank asks its customers for their consent so that third parties may use your payment details for direct marketing purposes. This activity of treatment is not necessary for the execution of the contract with the client and the provision of the usual services of the bank account. If the client's refusal to giving your consent to said treatment would give rise to the refusal on the part of the bank to provide their services, at the closing of the bank account or, depending on the case, at a increased commissions, consent could not be freely given.” In this way, the EDPB indicates that the consent could be considered not to have been freely granted in those cases in which the bank: i. Does not proceed to open a bank account for the client due to the fact that having given their consent (thus conditioning the signing of the contract to the provision of consent that does not refer to the object thereof, but to "other matters”, in the terminology of article 7.2 of the RGPD), in a way that would condition the conclusion of the contract to the provision of consent; ii. It is agreed to close the account as a result of the non-provision of the consent, in the terms already mentioned, which would mean a conditioning of the same nature, since the revocation or non-provision of the consent would imply the termination of the contract; or iii. There will be an increase in the commissions that said client must pay in relation to the contracted products, that is, by imposing a tax on the non-provision of consent. Even when the example is extremely clear and exhaustive, the AEPD is limited, in the face of all what has been stated up to that moment, to deny it validity, pointing out the following: "This Agency understands that, regardless of the fact that the EDPB mentions only some examples of what constitutes a detriment, without pretending to contemplate all the possible assumptions, the reference to the "increase in commissions" cannot be interpreted in the literal sense that CAIXABANK expresses in its allegations. When the EDPB refers to an "increase in commissions" it is evident that takes as its starting point the assumption that there are established commissions that are charged in any case, hence, if the refusal to give consent gives cause these to increase, consider that the consent is not given freely, while this increase supposes a detriment for the interested party. This is the \ It \ him consent is not free because its provision is conditioned to avoid a charge that it was not being produced. And this example is equivalent to the one produced in the case object of this procedure, in which the exemption from the collection of commissions is linked to the provision of consent, so that the interested party does not provide said consent freely, but conditioned by that circumstance.” CAIXABANK understands that the argumentation of the AEPD is an interpretation forced, since in the first place, the AEPD in its different resolutions raises up to the source category of law the content of the various documents and guidelines emanated from the EDPB, to the point of considering that the contravention of said documents must be considered as a direct violation of the RGPD itself and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 50/117 the LOPDGDD that adapts Spanish law to it. This offense is understood produced even in the cases in which the EDPB is limited to carrying out general considerations about the interpretation of a certain precept, considering the AEPD that the RGPD is completed with the criteria extra legem and sometimes contra legem included in such opinions. just remember for this purpose, the resolutions issued in procedures PS/00070/2019, PS/00477/2019 and PS/00500/2020 (the latter two directed respectively against CAIXABANK and one of the companies of the Group in which it is integrated) to verify how the legally required requirements for the validity of the information obligation to those affected or the provision of consent are expanded beyond what established in the norm as a consequence of the application, as if of a norm legal, of the criteria supported by the EDPB. However, in this Motion for a Resolution, and even having cited again as if it were a legal norm the aforementioned Guidelines on the consent, the AEPD makes a new interpretation of the criteria based on by the EDPB, since if they are not consistent (when not diametrically opposed) to the thesis that it intends to maintain, this can only be due to two possible causes: (i) their intention not to be exhaustive, so that they have not considered a case like the one analyzed by the Agency; or (ii) the effective contemplation of said assumption, understanding that the interpretative opinion must be in turn interpreted in the sense that the AEPD considers appropriate to defend. The very content of the Motion for a Resolution reveals the obvious contradiction of the reasoning of the AEPD. Indeed, firstly, regarding the consideration that the content of the Guidelines is not exhaustive, it should be noted that the example seems to do reference to all the assumptions in which it could be considered that there would be a condition of the principle of freedom of consent in a case like the one analyzed. How much to the commissions at no time does it refer to the collection of the agreed commissions in the contract or to the disappearance of an exemption from said payment, but only and exclusively to an "increase" of the same as a consequence of the non-provision of consent. And furthermore, this assumption, unlike the two cited by the EDPB previously did not join unconditionally, but "depending on of the case”, that is to say, of the circumstances that concurred in it, so that there will be assumptions in which even such an increase would not determine an absence of freedom of consent. The AEPD itself reasons how this would be (and not the one analyzed in this procedure) the assumption that could affect, it has already been said that conditionally, the freedom of consent. For this, take into account that the AEPD itself indicates that the EDPB's criterion is that “if refusal to consent results in these [commissions] increase, consider that consent is not given freely”, adding that this example is equivalent to the one analyzed in this process. Well, such a statement can only be described as erroneous: in In no case can it be considered that in the case analyzed the refusal to provide the consent causes commissions to increase. The commissions are agreed in the contract signed by the interested party and do not increase in a greater or lesser amount as a consequence of the lack of provision of said consent. That is, and for C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 51/117 if it is not clear enough, the full effectiveness of the contract and the enforceability of said commissions, already agreed with the interested party in the time of signing the contract. A different matter is that the provision of consent supposes a reduction or exemption from the payment of said commissions. In this case, no lien is established. for the refusal to give consent, but a reduction or exemption from the payment of the consideration that corresponds to him to satisfy for the services rendered by his client. In other words, the non-provision of consent does not imply any burden, but the maintenance of the general conditions of the contract, which impose the payment of A commission. Finally, the AEPD, however, denies effectiveness for the defense of human rights of CAIXABANK because it limits itself to considering that “[w]hen the EDPB refers to to an "increase in commissions" it is evident that it takes as its starting point the course in which there are some established commissions that are charged in any case”. In relation to such a statement, that in a case in which the EDPB clearly stated, it is not possible for the AEPD to expand (or rather limit) the interpretation of the assumption to the one that he considers adjusted to his thesis, no matter how It is evident that he intends to consider this fact. If the AEPD considers that it is “obvious” the interpretation that it intends to carry out, should justify what it is based on to appreciate that supposed evidence and not limit himself to incorporating into his reasoning so apodictic conclusion. And there is also an obvious contradiction in the reasoning supported by the AEPD in its Resolution Proposal when, after reproducing the quote from the “Manual of European legislation on data protection”, adopted by the Agency for Fundamental Rights of the European Union and the Council of Europe, in collaboration with the European Court of Human Rights and the European Supervisor of Data Protection, which CAIXABANK made in its brief of allegations to the Initiation Agreement, and after having insisted that in the controversial case there was no any benefit derived from the provision of consent, but a manifest prejudice in the event that the same was not granted concludes, certainly succinctly, that from what is stated in the aforementioned Manual it can be deduced that "the benefit must be small, this is not important enough to affect freedom of choice”. This part cannot for sure venture if it follows from such an affirmation that Finally, and despite what has been reasoned up to that moment, the AEPD considers that in the In this case, we would find ourselves before a benefit that, however, must be rejected. What he does consider is that not even the reproduced statement is supplemented with the slightest reasoning that justifies why he understands the AEPD that the "benefit" is not "small" in this case. In this way, the AEPD once again limits itself to refuting CAIXABANK's arguments regarding a completely conclusive affirmation, lacking the slightest substratum of evidence that allow CAIXABANK to refute it. In this way, the AEPD seems to consider that the entity of the benefit obtained by the provision of consent must be significant, but in no case does it provide the arguments that lead to such conclusion, with the evident breach of the presumption of innocence of CAIXABANK, which should, as seems to follow from the reasoning of the Motion for a Resolution, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 52/117 prove that the amount of the benefit is reduced to avoid the application of the rule sanctioning Well, it should be remembered that recital 9 of the RGPD indicates the following: “Although the objectives and principles of Directive 95/46/EC remain valid, this has not prevented data protection in the territory of the Union from being applied fragmented manner, neither legal insecurity nor a generalized perception among the public opinion that there are significant risks to the protection of people physical, particularly in relation to online activities. The differences in level of protection of the rights and freedoms of natural persons, in particular of the right to the protection of personal data, with regard to the processing of such data in the Member States may impede the free circulation of personal data in the Union. These differences can constitute, therefore, an obstacle to the exercise of economic activities at the of the Union, distort competition and prevent the authorities from complying with the functions incumbent on them under Union law. This difference in levels of protection is due to the existence of divergences in the execution and application of Directive 95/46/EC.” In the case analyzed, the benefit would obtain as a result of the provision of consent is the exemption from payment of a monthly commission of 5 euros, which the AEPD, even without justifying it in no time, seems to consider excessive. This criterion is contrary to that maintained by the Austrian Data Protection Authority. Data (Datenschutzbehörde) in its resolution of November 30, 2018, which can be consulted in its German version on the website ***URL.3. In the case analyzed by the aforementioned resolution, the authority ruled on the case of an Austrian website that gave its customers three options as to to your access to the information published on the website: to. Partial access to the website free of non-essential cookies. b. Payment of a subscription in exchange for access to the website without non-essential cookies. c. Access to the website in exchange for the installation of advertising cookies and third parties. In view of this scenario, the resolution considers that it is possible to offer access to the website in exchange for cookies being installed in the user's browser given that the following preconditions are met: to. The website is subscription based anyway. b. The cookie policy is very clear regarding the type of cookies installed and the third parties that have access to the data received. c. Cookies are not installed before the client consents, or not, to their installation. d. Withholding consent does not have significant negative consequences for the user. In particular, the Austrian Authority understands that the consequences of denying the consent are not significantly negative to the extent that the share of subscription -of 6 euros per month without data processing- is reasonable for not exercise sufficient coercive power over the interested party, which is not seen in the dilemma to consent to the processing of your data or pay a subscription that is not affordable. Well, in the present case (i) the amount of the commission whose payment would be exempted the client for the provision of consent is lower than that collected in the case just referred to; and (ii) commissions are part C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 53/117 part of the contract, so that these are an essential element of it, that is, the contract is bilateral and onerous by nature. In this way, it would be possible to achieve same conclusion reached by the aforementioned resolution, in the sense of considering that there is no negative consequence for failure to provide consent. CAIXABANK is aware that the resolution comes from a supervisory authority different from the AEPD and that we are not faced with a criterion supported by the EDPB (although it has already been demonstrated that it does not consider that there is a levy in case of commission exemption). However, it is clear that if the The purpose of the GDPR is to establish a uniform framework in the application of the rules and principles that configure the fundamental right to data protection, there is no doubt that the criterion supported in the aforementioned resolution (it must, for this purpose, It should be remembered that the EDPB in its guidelines requires for consent to the installation of cookies the same requirements established in article 4.11 of the RGPD) must be taken into consideration as an element to take into account in the interpretation of the requirements demanded of the consent of the interested parties by the personal data protection regulations. However, as already indicated, the AEPD in its Resolution Proposal indicates that there is an “element of compulsion or pressure”, which “is determined, in the opinion of the AEPD, for the collection of those commissions established in such a way that they suppose a cost of sufficient entity to determine the clients of such accounts to accept the consent to the processing of data for purposes other than those of the contract". However, as already indicated, no reasoning makes the AEPD to determine why the exemption from a commission of five euros per month should be considered as an element of pressure or why it should be considered of an entity sufficient to force the provision of consent, especially if takes into account that, as evidenced by the figures included in the fact sixth of the resolution, it was not provided by almost 250,000 clients of the entity, which cannot be considered a trivial number. And, it is necessary to reiterate, the non-provision or revocation of consent does not carry associated with any cost for the interested party, since it only implies the application of the general conditions of the contract previously signed by the interested party. No reference is being made to a free contract that, as a consequence of said lack of provision or revocation, becomes onerous, since the contract has this nature from the moment of its signature. Nor is it being done reference to the modification of the general conditions of the contract by means of a increase in its "price", that is, of the commissions, since they will be those that appear in the contract signed by the interested party, without increasing in any moment. On the other hand, the AEPD affirms that in the present case the consent is not free, but conditioned, since CAIXABANK does not offer its clients any service equivalent to the one provided in the event that they do not give their consent to the treatment or transfer of your personal data. CAIXABANK has already made clear in its allegations to the Initiation Agreement the inaccuracy of such a statement, since the product offered to those who have not given the aforementioned consent is not "equivalent", but the same as C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 54/117 had contracted, even when not giving consent does not produce a exemption in the payment of commissions. That is, the product, the ON Account, with its general conditions and with the specifications established in the contract is the same for all customers who sign the contract. There are no two contracts different, subject to different general conditions, but a single contract that is signed by each and every one of the clients of the ON Account. For this reason it ignores the reason why the AEPD considers that the aforementioned does not exist equivalence, when what exists is an absolute identity, being one and the same contracted product. And it is that, as the EDPB Guidelines point out, the person in charge “could argue that your organization offers stakeholders a real choice if they could choose between a service that includes consent to the use of data for additional purposes, and an equivalent service offered by the same responsible that does not imply giving consent for the use of data for purposes additional”, which happens in this case, in which the provision of the service is not conditioned service, under the same conditions signed by the interested party, to the provision of the consent to the processing of your personal data. Even in the denied assumption that the aforementioned equivalence could not be appreciated, CAIXABANK highlighted in its allegations that there were other products of identical nature to the object of the present procedure for which the Interested party without the need to consent to the processing or transfer of their data. personal information. The AEPD limits itself to responding to this statement that CAIXABANK “does not prove that it is an equivalent service”, adding that “[i]t is not possible to admit that any current account is an equivalent service if the conditions in which it is lends are different or are aimed at a certain group, so that excludes that others can hire him”. Such a statement contradicts the very nature of the current account contract, given that if we find ourselves before participating contracts of the same nature, it must be concluded that the services rendered are equivalent. In particular, reference should be made to the "Easy Account" which was already alluded to in the brief of allegations to the Start Agreement. First of all, and as a starting point, It is a bank current account contract, which determines the identity of nature with the account ON. On the other hand, it is an account exempt from the payment of commissions as long as certain requirements are met by the owner, that in no case are conditioned neither to the establishment of a "digital profile" nor to the provision of any consent for the treatment or transfer of your data personal, issuing a debit card free of charge. Said conditions consist of the existence of a payroll equal to or greater than 700 euros or benefit for unemployment or pension equal to or greater than 200 euros, as well as one of the three following: • Make two purchases a month with a credit card • Contribution of 135 euros in risk insurance premiums. • Possession of more than 30,000 euros in investment funds, pension plans or savings insurance (this requirement was also fulfilled in the case of holding 40,000 euros in investment products of the entity, being excluded from this requirement for people under 26 years of age). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 55/117 In short, CAIXABANK customers could freely opt not only for the giving your consent to the processing of your personal data, but also for the possibility of contracting another product of an identical nature, also exempt of commission payments. And it is that, as the Motion for a Resolution itself acknowledges, with the citation of the Manual of data protection reproduced above, his reasoning would lead to consider null the affirmation that is clearly contained in it and even the statement in the Proposal that the benefit should not be significant or should be minor. In this sense, if one follows ad pedem litterae the establishment of a discount to those who have accepted their inclusion in a loyalty program of any company, with the consequent acceptance of the treatment of your data would be null, since the possibility of enjoying of the same discount in case of not choosing to adhere to the program of loyalty, which, obviously, respectfully contains a sophism in its own terms. A different matter is that the AEPD considers that it is necessary that the entities financial institutions have a contract in which no commission is established by them some for the contracting of a current account, as it seems to be derived from what indicated in the motion for a resolution. In that case, and as we already indicated in our allegations to the Initiation Agreement, the AEPD would be exceeding the limits in the scope of the functions and powers attributed to it by the RGPD, imposing conditions to credit institutions for contracting their products and services, which would entail, as already indicated, a manifest excess in those. The AEPD, in relation to this affirmation maintained by CAIXABANK in the allegations to the Initiation Agreement, indicates that “[t]his Agency does not assess the validity of the contract, but that of consent to carry out other treatments different from those of the contract and that is conditioned by the exemption from the collection of commissions, which in the opinion of this Agency is contrary to the provisions of article 7.4 of the GDPR”. CAIXABANK disagrees with this statement: the AEPD in its reasoning is not only affecting the freedom to provide consent for the treatment of personal data. personal data of the interested party, but affirms that this consent, as essential element of the current account contract, is affected as a consequence of the fact that said entity exempts from the payment of commissions those who provide your consent to the so-called “digital profile”, which not only affects the application of the personal data protection regulations, but to the legality of the contract itself, given that if the consent for the contracting of the financial product is null by to be, in the opinion of the AEPD, subject to a kind of coercion, there would be a vice invalidating the contract itself, as the contractual consent is affected. Thus, the only conclusion that can be drawn from the motion for a resolution is that no benefit should be granted for the provision of consent to the treatment of the data, since in that case the contract would be vitiated in its own signature, and this despite the fact that the AEPD itself recognizes in its reasoning the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 56/117 possibility of granting benefits, although, in their own terms, “not significant” or “minor”. Finally, the AEPD seems to consider that the consent given by the CAIXABANK clients would not be informed, since it states “it is unknown at the time to sign the contract who are such collaborating entities, and the individual must go to the website of the entity to know at all times who has been transferred their data”. But at the same time, it should be remembered that article 11 of the LOPDGDD establishes the How the interested party must be informed about the processing of their data through what is called “layered information”. Said precept establishes in its section 1 that “[w]hen the personal data is obtained from the affected party, responsible for the treatment may comply with the duty of information established in article 13 of Regulation (EU) 2016/679, facilitating the affected party basic information referred to in the following section and indicating an address electronically or by any other means that allows easy and immediate access to the remaining information” and in its section 2 it does not include the recipients of the data within the basic information mentioned, being perfectly possible that the enumeration of the same is collected in the second informative layer by means of the inclusion of a link in which the list of them appears. But it is that, in addition, as it appears collected in the fourth fact of the Proposal, said link does not exist for the simple reason that, as indicated, it does not There has been no transfer of data to entities of the Group or collaborators. Thus, the Proposal includes as proven what was indicated by the entity in the sense of indicating that “[a]lthough the consent of customers has been requested, BANKIA has not given your personal data neither to the companies of the group nor to other collaborating entities based on these general consents of the TDP nor is there any provision for this” and it is concluded that “[t]here is no link or published document that contains the list of collaborating companies since there is none to which data is transferred based on the general consent obtained through the TDP”. In other words, the affirmation supported by the Motion for a Resolution on this point enters in direct contradiction to what the Proposal itself has considered proven. It concludes that the consent obtained by CAIXABANK in the supposed object of the This procedure is completely in accordance with the requirements demanded by Article 7 of the RGPD, because: CAIXABANK is able to demonstrate the effective provision of consent and carry out a traceability of the consents obtained (article 7.1), which which is proven in the Proposal. The consent requested from the interested party is presented “in such a way that it is clearly distinguishable from the other matters [of the contract], in an intelligible and easily accessible and using clear and simple language”, as recognized by the AEPD itself (article 7.2). The interested party can at any time, and with the same simplicity as gave their consent, revoke said consent (article 7.3), which in At no time does the AEPD deny it. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 57/117 The execution of a contract, including the provision of the services that constitute the current account contract by my CAIXABANK, it is not subject to consent to the processing of personal data, given that the The interested party may freely give this consent or not, not producing no modification in the general conditions of the same (article 7.4). Affirms that if the consent obtained by CAIXABANK meets the conditions established in article 7 of the RGPD, it is obvious to conclude that it cannot be considered in no case that the same has incurred in an infringement of the aforementioned precept in connection with article 6.1 a) of the RGPD. And this should lead to the archive of the present proceedings. THIRD. ABOUT THE CONSENT COLLECTED FROM CUSTOMERS WHO CONTRACTED THE CONTROVERSIAL PRODUCTS THROUGH THE ON-LINE CHANNEL BETWEEN JULY 8 AND AUGUST 15, 2018 CAIXABANK considers the allegations to the Initiation Agreement reproduced and indicates that, in what is argued in the resolution proposal, the AEPD forgets that throughout the reasoning made in relation to the first of the accusations directed against CAIXABANK has crossed out as null, as the element of freedom did not concur, the consent given by the clients of said entity, and this, obviously, even when CAIXABANK considers that the cause of nullity assessed by the AEPD does not concurs in the event of the consents given by the clients of the Account ON. CAIXABANK points out that, as already indicated, it has not denied that a anomaly in its systems that affected a very limited number of its customers (only 812 out of a total, according to the Motion for a Resolution itself, of around 1,200,000 customers). What it does deny is that if it is considered that the consent requested was not lawful, as it was not considered free, which again denies, it can also be seen that this illegality is "reinforced" by the fact that that the consent provision box is pre-marked. In this sense, respectfully, we understand that the reasoning of the resolution should to have been, precisely, the inverse to that sustained in the transcribed text, and that it seems that has been incorporated with the sole purpose of increasing the sanctioning reproach to CAIXABANK: if the requested consent is null because it is considered contrary to the requirements established for its validity in article 4.11 of the RGPD, would result in all irrelevant point that it had been requested by means of a box pre-dialed, given that, as would happen for the remaining 1,199,188 clients) that consent would in no case enjoy the validity required by the AEPD. In other words, if the reasoning of the AEPD is followed, what this party denies in all case, none of the consents given (whether or not the pre-marked box) would be valid, so imposing an additional penalty for the fact that in such an extremely small number of cases said box would be pre-marked it is nothing but a contravention of the non bis idem principle. And this should match immediately the subsumption of this alleged infringement in the collection by the AEPD in the first place, in the event that it insists, despite what is alleged by CAIXABANK, in the nullity of the consent granted. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 58/117 Only in the event that the infringement analyzed in the Second allegation was not observed. of this writing, the appraisal of a sanctioning reproach against CAIXABANK. FOURTH: VIOLATION OF THE PRINCIPLE OF PROPORTIONALITY. IMPROPER APPLICATION OF CONCURRENT CIRCUMSTANCES IN THE PRESENT CASE 1. General consideration about the principle of proportionality From what has been indicated, the origin of the fact that the resolution that, in short, is issued in this procedure agrees on the archive of the same, exonerating CAIXABANK from all responsibility. However, for the hypothetical assumption that the AEPD does not Appreciate the concurrence of the necessary requirements to agree on the aforementioned file, should be particularly taken into consideration in determining the sanction that could impose the application of the principle of proportionality. In this sense, it should be remembered, in the terms in which the Supreme Court in its ruling of November 20, 2001 (Recourse of Cassation no. 7686/1997): “As the Supreme Court has already maintained in rulings of November 24, 1987, October 23, 1989 and May 14, 1990, the principle of proportionality cannot escape jurisdictional control, because as specified in the judgments of this Court of September 26 and October 30, 1990, the discretion that is granted to the Administration must be developed weighing in any case the concurrent circumstances in order to achieve the necessary and due proportionality between the imputed facts and the demanded responsibility, according to the judgments of November 24, 1987 and March 15, 1988, given that all sanction must be determined in congruence with the entity of the infraction committed and according to a criterion of proportionality attentive to the objective circumstances of the fact, proportionality that constitutes a normative principle that is imposed as a precept more to the Administration and that reduces to the scope of its powers sanctions, since jurisdictional activity corresponds not only to the qualification to subsume the conduct in the legal type, but also to adapt the sanction to the fact committed, since in both cases the subject is the application of evaluative criteria legal embodied in the written norm inferable from integrating principles of the legal system, as they are in this sanctioning field, those of congruence and proportionality between the infraction and the sanction.” In this way, it is necessary for the sanctioning body to proceed to evaluate meticulously the concurrent circumstances in the present assumption, with the purpose of determining the amount of the punitive measure that may be appropriate adopt against CAIXABANK in the denied event in which it is appropriate to do so. 2. The disproportionate nature of the sanctioning measure adopted by the AEPD in relation to the second of the infractions attributed to CAIXABANK C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 59/117 As CAIXABANK already indicated in the allegations to the Initiation Agreement, which are perfectly transferable to the Motion for a Resolution, there is an absolute violation of the principle of proportionality with regard to the alleged infringement the fact that the consent boxes were pre-marked during the period between July 8 and August 15, 2018, given that it adopted, with due diligence all measures aimed at correcting the deficiency produced in its information systems, affecting the incidence only to a total of 812 clients out of a total of 1,200,000. This issue was analyzed in detail in the arguments made by CAIXABANK to the Initiation Agreement, which it already reproduced, as does the Resolution Proposal, the measures adopted by said entity. Likewise, it revealed that the 812 customers affected are inactive customers who have not maintained any relationship with the entity from the time of the opening of the account through any channel, being impossible for me said entity its locating and establishing any contact with them. To this must be added that there has been no complaint or claim against it by the aforementioned interested parties as a result of an alleged violation of the fundamental right to the protection of your personal data. The control authorities enjoy, in accordance with the RGPD, a very wide margin of discretion in the adoption of coercive or repressive measures. However Such discretion cannot become a violation of the principle of proportionality and the interdiction of the arbitrariness of public powers, especially if one takes into account that, as this party has repeatedly recognized, in In this case, there has only been an incident in the operation of their systems, having adopted all the necessary corrective measures and ultimately proceeding to consider the consents granted as not given as a result of this incident. Having made the foregoing consideration, CAIXABANK considers that in this case there is no aggravating circumstances would be applicable that, unduly considers concurrent the AEPD, also considering appropriate, in the denied assumption of appreciating the responsibility of CAIXABANK, the imposition of the warning measure established in article 58.2 b) of the RGPD. The Motion for a Resolution is limited to citing the content of recital 148 of the GDPR to conclude, certainly in a completely concise way that “[i]n this case, considering the seriousness of the infractions found, the imposition fine without being able to accept the request made by CAIXABANK for it to be impose other corrective powers that would have allowed the correction of the irregular situation, such as the warning, which is planned for natural persons and when the sanction constitutes a disproportionate burden.” In this way, CAIXABANK cannot know which are the elements that the AEPD considers to be they “clearly” exclude the possibility of applying the measure that has just been indicated. And it is that the Proposal seems to emphasize not in the concurrent circumstances in the present assumption or those that are necessary for the appreciation of the origin of replacing the economic sanction with the warning, but rather C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 60/117 focuses on the reference made by recital 148 of the RGPD to the circumstances to be taken into consideration in determining the amount of the economic fine as if they were determining elements of the inadmissibility of adopting the warning, rushing immediately to appreciate their concurrence in the assumption, even when they were not considered in the Start Agreement, in order to reinforce the conclusion previously reached. Recital 148 cited only refers, for the assessment of the warning to the fact that we are faced with a "minor infraction" or a fine “likely to be imposed would constitute a disproportionate burden for a natural person. Not being applicable to CAIXABANK the second of the assumptions must be analyzed if we are faced with an assumption that could considered of little seriousness or "slight" in the present case. And it should be noted Note that when the RGPD refers to a "minor infringement" it does not do so by reference to the provisions of article 74 of the LOPDGDD, since, on the one hand, said rule did not exist at the time of approval of the RGPD and, on the other hand, said text The law does not differentiate between different degrees of severity of the sanction in its article 85. When recital 148 of the RGPD refers to the seriousness or lightness of the sanction refers to the cases in which there has been or has not been a commitment particularly relevant to the fundamental right to data protection, way that in case of not being the same tolerant and being manifest the violation does not it would be possible to go to the warning as a response to non-compliance. The Article 29 Working Group stated in this regard in its document WP253 of “Guidelines on the application and setting of administrative fines to effects of Regulation 2016/679”, ratified by the European Committee for the Protection of Data in its constitutive session, when it indicates the following (the underlining is ours): “In recital 148, the notion of “minor infringements” is presented. sayings Violations may constitute violations of one or more provisions of the Regulation cited in article 83, paragraphs 4 or 5. However, the evaluation of the criteria provided for in Article 83, paragraph 2, may lead to the authority of control considers, for example, that in the specific circumstances of the case the violation does not entail a significant risk to the rights of the data subjects and does not it affects the essence of the obligation in question. In such cases, the fine may be replaced (although not always) by a warning. Well, in the present case we are faced with a situation that has affected only to 812 of a total of 1,200,000 clients, without there being any type of claim on their part and without said affected parties having maintained, from the at the time of the occurrence of any type of relationship with CAIXABANK, dealing with inactive clients with respect to which, in addition, said entity appreciated as not given consent, refraining from processing your data and all this after having adopted extremely diligent aimed at achieving contact with the aforementioned clients. In this way, and without prejudice to the fact that it has already been warned that the imposition of this sanction would imply a violation of the non bis in idem principle, in the denied assumption in which the AEPD considers that CAIXABANK's conduct could constitute C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 61/117 of reproach, of which there would be no doubt about the absolute lightness of the infraction allegedly committed, which should lead to the fact that, in the event that appreciate against the criterion maintained by CAIXABANK the existence of reproach sanctioning, this should at most consist of the adoption of the measure of warning established in article 58.2 b) of the RGPD 3. On the circumstances assessed in relation to the first of the infractions included in the Resolution Proposal. a) Of the alleged concurrence of the aggravating circumstance provided for in article 83.2.a) RGPD, that assesses the nature, seriousness and duration of the infraction. The AEPD considers the appropriateness of applying this aggravating circumstance to CAIXABANK because “[t]he It is an isolated offending conduct. It is about the design of a financial product with the purpose of conditioning the clients of the entity that contract the same, through the exemption of the collection of commissions of the contract, to lend its consent for purposes other than those of said contract. However, CAIXABANK understands that the circumstance mentioned, as well as the remaining that are cited in this section should not be considered aggravating their behavior, since they integrate the typical behavior on which the AEPD applies its sanctioning power. Indeed, as indicated in the Motion for a Resolution, it is considered that the conduct infringer consists of the alleged conditioning of their consent for the processing of your personal data by having established an exemption from the payment of The commissions. In this way, if said conduct integrates the type of infraction hardly appreciated, it can also be considered a circumstance that aggravates the responsibility. On the other hand, the citation of the figures mentioned in the Motion for a Resolution shows how consent was not conditioned in any way automatically as a result of CAIXABANK's conduct, given that nearly 250,000 customers, which cannot be considered under any circumstances as a merely residual figure, they decided not to provide all the consents established by CAIXABANK in order to be considered users with a “digital profile”. Finally, the AEPD indicates in its Resolution Proposal that "it is carried out In addition, the treatment of a large volume of data of the interested parties who consent that the profiling is carried out with the data that is qualified in the TDP as personal and include data relating to customer identification, contact details, marital status, number of children, date and province of birth, nationality and data professionals; with the data obtained from the contracted products and with the obtained from the operations, movements or transactions associated with their products". It should be remembered that, as indicated in the proven facts, the outlined to which the Motion for a Resolution refers would have a character prior to the transfer of personal data of customers who have provided their consent for this to the companies of the Group or collaborators of said entity. However, the Proposal itself states as a proven fact that the aforementioned transfer did not did not take place in any case, indicating that “[a]lthough consent has been requested from C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 62/117 customers, BANKIA has not transferred their personal data to the group companies or to other collaborating entities based on these general consents of the TDP and there is no provision for it” and it is concluded that “[n]ot there is no link or published document that contains the list of collaborating companies since it does not there is none to which data is transferred based on the general consent obtained through the TDP. Thus, if the treatment did not take place according to one's own Resolution Proposal, it will hardly be admissible to indicate that said treatment “is carried out”, being that either the facts declared proven in the Proposal or Well this statement is contrary to reality. Thus it is hardly possible apply as an aggravating circumstance that in no way has occurred in this case according to the factual account of the Motion for a Resolution. All this concludes in the non-application of the aforementioned aggravating circumstance, given that, On the one hand, it implies aggravating the sanction based on an element of the offending type and, on the other hand, another conflicts with the list of facts that the Proposal declares tested. b) Of the alleged concurrence of the aggravating circumstance provided for in article 83.2.b) The proposed Resolution states at this point that “[t]his is a conduct intentional in relation to the violation of data protection regulations personal, being aware the claimed entity that the exemption from the payment of commissions would result in most customers of such accounts consent to the processing of advertising data and transfer of data to companies of the group". The very text of the proposal on this point shows to what extent the reasoning contained in its foundation of law III contradicts reality of the facts, given that, as it indicates, at this point there has been no encumbrance or damage to the interested parties who have not provided their consent to the processing of your personal data, but only the exemption payment of commissions, which is purely and simply a benefit. CAIXABANK understands that, in any case, it is not possible for the AEPD to assess aggravating circumstance which is nothing but a mere business strategy and less still prejudge the assessment that CAIXABANK could carry out about the number of customers who could give their consent to the processing of their personal data, given that it is difficult for the AEPD to know, and even less to prove, the realities or facts of which said entity may or may not be aware. In this way, the Proposal raises nothing less than to the degree of circumstance aggravating liability which is nothing more than a mere conjecture or assessment merely subjective about what CAIXABANK could or could not consider in the moment of launching the product, also taking for granted the reality of that guess. Added to this is the fact that, as already indicated in the section above, it has been proven that more than 20% of the clients who subscribed to the Account ON chose not to give their consent to the treatment and transfer of their data, thus not assuming the so-called "digital profile". C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 63/117 c) Of the alleged concurrence of the aggravating circumstance provided for in article 83.2.k) RGPD, considering included in it as an aggravating circumstance the nature of a large company of CAIXABANK. CAIXABANK affirms that the Resolution Proposal, without further consideration, considered aggravating, under the residual rule established in article 83.2 k) of the RGPD, CAIXABANK's status as a large company. Consider that in relation With this circumstance, it has not found in the regime of the RGPD nor in that of the LOPDGDD no rule that considers the same as an aggravating factor of an infraction. The most that the size of the company will contribute to is the quantification of the limit maximum of the sanction that could correspond, depending on it, if it is higher to the established limits, of the total annual worldwide business volume of the person in charge. However, this consideration is already made by the AEPD when calculating the number of business of CAIXABANK, so it seems that it is simply added, of completely arbitrarily, to the catalog established in the current regulations, with the consequent breach of the principle of legality. d) Of the supposed continuous nature of the infraction. CAIXABANK alleges that the AEPD appreciates the existence of a continuous character in the offense committed, “in the sense interpreted by the National High Court as permanent infringement. Well, so that an infraction can be cataloged as permanent, in the cases in which the non-existence of the consent of the interested party, it is necessary that it has been proven that the treatment has actually taken place, even though the accredited facts As proven in the Resolution Proposal, it is not clear that the execution of the treatment and, what is even more relevant, that in no case was there effectively the transfer of data with respect to which the consent of the interested. Thus, the National Court in numerous sentences, for all the one of 21 October 2014, relapse in appeal 367/2013, recalls that: “[…] in this area administrative penalty there are so-called permanent infractions (which do not continued), which are characterized in that the conduct constituting a single offense is maintained for a long period of time, which implies that the term of prescription does not start until the situation of infringement pursued ceases SSAN, September 21, 2001 (Rec. 95/2000), November 21, 2007 (Rec.117/2006); April 23, 2008 (Rec. 274/2007), May 20, 2010 (Rec. 337/2009), October 14 2010 (Rec. 64/2010) etc. Thus, in the case of data processing without consent, There is permanent damage to the legal right while the existence of the legal right is proven. treatment without consent”. In this way, and aside from the fact that, as indicated in the aforementioned judgment, the circumstance of continued infraction, which is the one established in article 76.2 a) of the LOPDGDD cannot be assimilated to that of permanent infraction, a similarity that, due to the On the contrary, the AEPD does appreciate it, it must be taken into account that it does not appear as proven in the Proposal that the treatment without consent (in the opinion of the AEPD) has taken place, which would invalidate the application of this circumstance. e) Of the alleged benefits obtained by CAIXABANK. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 64/117 The AEPD considers in the Resolution Proposal that the responsibility of CAIXABANK, given that “[i]t is taken into account that among its commercial activities is the sending of commercial communications to its clients from the following sectors: financial (banking, investment and insurance), real estate, cultural, travel, consumption and leisure”. This part fails to understand why what reason is considered that the realization of the aforementioned communications constitutes, As the Resolution Proposal seems to indicate, the activity of CAIXABANK, which As is well known, it is a bank entity. Moreover, in any case, such a conclusion could at most imply the existence of a link between the activity of said entity and the performance of processing of data, but in no case does it imply obtaining a supposed benefit for the same, unless it is considered that the realization of a shipment (fact that also has not been proven, as has been repeatedly pointed out) intrinsically implies a profit for CAIXABANK. If the AEPD considers the alleged obtaining of a benefit to be applicable as an aggravating circumstance should, at least, accredit it in the resolution. However, again, the AEPD makes a completely apodictic statement in its proposal, lacking the least evidentiary support that, in addition, is used as an aggravating circumstance to raise the amount of the sanctioning reproach directed against CAIXABANK. 3. On the circumstances assessed in relation to the second of the infractions collected in the Resolution Proposal a) General consideration about the application of aggravating factors related to the size of CAIXABANK, the ongoing nature of the infringement and the benefits obtained. The AEPD considers concurrent in the second of the offenses imposed the same aggravating circumstances appreciated with respect to the first, because, with independence of its diction, together with those mentioned in the rubric of this section, the Motion for a Resolution also refers to those included in the sections a) and b) of article 83.2 of the RGPD. Regarding the remaining circumstances, CAIXABANK wishes to consider reproduced what indicated in sections c), d) and e) of the previous section, which is also seen reinforced by the fact, which the Proposal ignores, that the behavior now analyzed it only affected, as has been pointed out repeatedly, a total of 812 people of a mass of clients of the ON account close to 1,200,000 people. Nor has it been proven, with respect to said clients, or the continued nature of the infringement nor the obtaining of any benefit by said entity, which would exclude the application of these aggravating circumstances, since if the AEPD considers from its application, this should only be based on the accreditation of the concurrence of the necessary requirements for it to take place. b) On the alleged concurrence of the remaining aggravating factors referred to in the Resolution Proposal. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 65/117 The AEPD considers that it is appropriate to aggravate the sanctioning reproach in this case given that “[t]his is not an isolated event, but rather affects the collection procedure consent for a period of time, during which the consents They appeared pre-marked for those clients who contracted online”. Equally, considers that there was negligence on the part of CAIXABANK, given that “[t]he defect that constitutes the infraction, this is the existence of pre-marked consents, given his evidence should have been warned and avoided by an entity with the characteristics of the claimed entity. First of all, it should be remembered that the impact of collecting the consents mentioned in the Proposal was limited to a short period of time (from July 8 to August 15, 2018) affecting, ultimately, as It is accredited only to 812 clients, who also do not maintain any type of active relationship with CAIXABANK. But the fact is that, in addition, the defect was detected by CAIXABANK, which once appreciated the error proceeded to correct it, so that as of August 15, 2018, that is, more than six months before the opening of the proceedings of investigation, the aforementioned incidence was corrected. In other words, as will be analyzed immediately, we are not faced with the reaction of CAIXABANK in the face of a request or even some type of action by the AEPD, but to the correction of the incidence that took place as a consequence of the process of integration of various financial entities, and which was resolved with the greatest speed by it, so that the appreciation of a supposed intentionality or negligence in his action is contrary to the reality of the facts. 5. Regarding the actions of CAIXABANK, which would determine the application of the circumstance established in letters c) and f) of article 83.2 of the RGPD. Article 83.2 c) of the RGPD requires the control authorities to duly into account when deciding the imposition of an administrative fine and its amount “any measure taken by the person in charge or in charge of the treatment to mitigate the damages and damages suffered by the interested parties. Likewise, it must be taken into account according to the section f) of said precept “the degree of cooperation with the control authority with in order to remedy the infringement and mitigate the possible adverse effects of the infringement. infringement". CAIXABANK has adopted all the necessary diligence measures to guarantee adequately comply with the personal data protection regulations, minimizing, if it had existed, what is in no way proven, the alleged damage that could have been caused to its clients not only as consequence of the incident that occurred between July 8 and August 15, 2018, but by suppressing, once he became aware of the AEPD's actions, and in all case prior to the inspection visit that took place on 12 December 2019, the link between the exemption from the payment of commissions by the of the holders of the ON account in the event that they had acquired the condition of "digital profile" and the consequent provision of consents disputed in this proceeding. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 66/117 Indeed, firstly, as already anticipated in the previous section of this allegation, the banking entity resolved the incident that occurred in its systems, and that for the AEPD deserves the reproach analyzed in the foundation of law IV of the Resolution Proposal, on August 15, 2018, that is, when there was no any complaint or claim directed against it. In this way, warned incidence, the pertinent measures were adopted for its disappearance. These measures were complemented by carrying out different actions that the Proposal itself of Resolution considers proven in the proven fact fourth of the same. Namely, did not limit itself to eliminating the pre-marking of its clients' consents, but that it adopted effective measures to guarantee that they effectively provided their consent, or withdrew it, without any type of conditioning. The result of such measures was that there has been no modification of the appropriate provision of consent only by 812 clients, with respect to which the Proposal itself recognizes as proven that, as said entity confirmed, it is of “On accounts without movements or significant activity in the last months or, in many cases, with negative balances to regularize, having attempted the contact with the headlines on several occasions without it having been achieved”. Even with respect to these clients, the Proposal considers the performance of by CAIXABANK of additional actions in order to obtain a statement, affirmative or negative, about your consent to the treatment of your personal information. Said measures, as indicated in fact five of the Proposal consisted of the following: “- The consents have been requested again from the clients who did not have modified, taking advantage of the first interaction with the entity by any of the enabled channels (branch, Bankia Online or Bankia App). This obtaining of new consents, from a neutral position to the option of acceptance or not acceptance that in each case is chosen by the interested party for each of the requested consents, has been configured as a necessary step to be able to continue the operation through any of the channels. - Those clients who have not passed this process have been considered as customers who have not given their consent to the entity regardless of the meaning of the consents they provided in the registration process of the On account, and have been marked in systems as having denied all consents. - All On account holders were informed, in December 2019, of the change of conditions of the digital profile, and the elimination of the requirements of having authorized the sending of commercial communications and the transfer of data for the purposes of collection or fee waiver. - Contact has been made by telephone (through the corresponding managers) with customers who have not modified consents; in the case of the 812 clients who have not yet gone through the process, although attempts have been made to contact them at several times, the result has been unsuccessful. - The process of canceling those inactive and inactive accounts has begun in the last few months.” But CAIXABANK's proactive measures in this case have not only referred to the second of the accusations made by the AEPD, but have determined the Suppression of obtaining the consent of the interested parties for the processing of your personal data as a requirement for holding the “profile C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 67/117 digital” and the consequent exemption from the payment of commissions, despite the fact that CAIXABANK has always considered that these conditions were perfectly respectful of the personal data protection regulations. And this modification occurred before CAIXABANK had knowledge of the existence of specific investigative actions against the itself, which was not known until the moment in which the inspection was carried out, presence of the AEPD in the facilities of my client. Until that date the only thing said entity was the request by the AEPD for information on relation to the processing of customer data of the ON Account, which was responded to that on March 19, 2019 and the transfer of certain claims, without knowing whether or not they had been admitted to Procedure. In this sense, it is established in the fourth proven fact that said entity, to the The date on which said inspection was carried out had modified the conditions of the ON account, disappearing the reference to consent to data processing as necessary for the ostentation of the "digital profile". Thus, the fourth proven fact of the Proposal indicates the following: “The fourth condition to hold the digital profile, related to the PUSH messaging service, has been added from 12/15/2019 for new ON product contracts, while remove the following conditions: - “All holders have authorized Bankia, by subscribing the Personal data processing document, equivalent document or contract corresponding, the treatment of your personal data for the sending of commercial communications through any enabled communication channel, including email and mobile phone. - All holders have authorized Bankia, by subscribing to the Personal data processing document, equivalent document or contract corresponding, the transfer of your personal data to companies of its group for the analysis of your profile for commercial purposes.” For customers who already had a product ON the new conditions applied from February 16, that is, two months after they were communicates this contractual modification, having sent the communications on last December 15. Indicates that the two indicated conditions have been removed in new hires, and although they would be provided contractually for the pre-existing clients until the aforementioned communicated modifications are effective on February 16, BANKIA does not take these two conditions into account for to discount or not the commissions since last October 16.” In this way, since October 16, 2019 I did not operate for any client of my CAIXABANK the exemption from the payment of the commissions of the ON account with respect to those customers who have consented to the processing of data. Thus, the conduct that the AEPD considers reprehensible had ceased to be taken to court. practice even before said entity became aware of the existence of inspection actions directed against it, having also provided the AEPD with all its collaboration in the investigation of the facts and in the minimization of the alleged damages caused to its clients. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 68/117 For all these reasons, and in relation to both accusations, it would operate, if the sanctioning reproach of the AEPD, which CAIXABANK denies, the application of the mitigating factors contained in letters c) and f) of article 83.2 of the RGPD. Of the actions carried out in this procedure and the documentation in the file, the following have been accredited: PROVEN FACTS FIRST: On 02/13/19, you had a written entry to this Agency, submitted by claimant 1 (E/03825/2019), in which he states the following: “As a client of Bankia, of the ON account, require me to accept all the consents of processing of personal data, which appear already pre-marked or accepted. In addition, if I choose not to transfer my data to third parties, for example, I They impose a fee of 5 euros per month to continue maintaining my account”. On 02/26/19, he had entry into this Agency in writing, presented by the Claimant 2 (E/03826/2019 processed under reference E/3825/2019), in which states the following: “My claim is based on the violation of the right not to consent to the sending of commercial communications and the penalty that is applied for it. In the Bankia banking entity a charge has been applied to me for "collection of services" on February 1 in my checking account. Contacted phone with the entity to consult the reason for the charge, I am told that the type of my account is Account ON and that I meet all the characteristics of the digital profile except for one, that "all holders have authorized Bankia, through the subscription of the Personal Data Processing document, document equivalent or corresponding contract, the processing of your personal data for the sending commercial communications through any enabled communication channel, including email and mobile phone". With the date of entry in this Agency 02/28/19, it is presented in writing by the claimant 3 (E/04093/2019, processed under reference E/3825/2019), in which it highlights manifest, among other extremes, the following: "After years as a client of the entity bank mentioned, began charging commissions from November 2018 in concept of "CHARGE FOR SERVICES COLLECTION". When asking the institution Regarding these concepts, their response was that, (...)- in relation to the claim that you have put for the collection of commissions in your On account, we indicate that what is generating this charge is that you have to modify that IF it was similar: "Clients of the ON Account must accept the reception of publicity and the transfer of their data to third parties or, otherwise, they will receive a monthly commission of five euros". On 04/08/19, he had entry into this Agency in writing, presented by the claimant 4, (E/05449/2019), stating that: “Bankia demands the complete assignment of my personal data so as not to charge me a monthly commission of X euros, so GDPR is violated. One of the conditions of your ON Account to not have collection of commissions is to have accepted the entirety of the data transfer consent. When I was asked about this topic on your website, I refused to send advertising and commercial messages to my email and my phone, and at no time C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 69/117 I received information that I would be charged maintenance fees of no agree. I feel that they extort me to keep my data so that I can send spam and commercial junk mail to my accounts.” On 06/19/19, a written entry was received by this Agency, presented by the claimant 5, (E/06961/2019), in which he states the following: “I opened an Account called: "ACCOUNT ON", in which following certain guidelines on use of email and mobile phones for communications and correspondence, You are exempt from paying commissions for the maintenance of the account. A few months ago I decided to withdraw the data processing consent to: 1."receive personalized information about discounts, promotions, products, services of the financial sector or others, by any channel based on my preferences personal" 2. "That Bankia consult my data in the asset solvency files and/or credit, as well as other similar sources of information in order to offer me personalized financing products", 3. "I agree to participate in loyalty programs, sweepstakes, contests, surveys and social action programs or similar actions, as well as receive news and/or communications about them through any channel (paper, media electronic, telematic, digital, etc.)." And consent to data transfer: 4. "Share my personal data with companies and investee companies or collaborators of the Bankia group so that can offer me their products or services" As a result of this, Bankia has begun to charge me for collection of account maintenance services of X euros per month”. On 08/07/19, he had entry into this Agency in writing, presented by the Complainant 6 (E/07830/2019), in which he states that: “Bankia has changed the conditions of the checking account I have with them. I am forced to agree to receive advertising of them and their partners if they do not charge me X euros per month of maintenance. On 12/14/2020, it had entry into this Agency in writing, presented by the Claimant 7 (E/00869/2021), in which he states that he is the holder of an On account and that, from the date of opening of the aforementioned account, it has been charged a monthly maintenance fee of 5 euros (from August to December of 2019). It states that after consultation with the entity claimed on the 7th of November, he was told that the commission was charged for not complying with the profile digital. SECOND: The claims are transferred to the data protection delegate of the entity claimed, in accordance with the provisions of article 65.4 of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights, the following answers are received: Regarding the claimant 1.- “After analyzing the products associated with claimant 1, it has been verified that the claimant is currently an ON account holder. In relation to said client, It is clear that you have exercised any right before the Entity in relation to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 70/117 with your data, nor that the consents that were provided have been modified dated January 19, 2018, regarding the processing of your data for sending commercial communications not consenting to the possibility of transferring the data to Bankia Group companies. Attached is the contract formalized by the one in which the consents are recorded provided in the indicated sense. Also, it has been found that there is no any claim initiated against Bankia by this client or through its management office, or before the Customer Service ("SAC"), or before the Office of the Data Protection Officer (“DPO Office”). Consequently, we do not have proof that no incident has been generated with this client, associated with your account ON.” Regarding the claimant 2.- “In relation to (complainant 2), it has been verified in the same way that said client has been the holder of an On account although it is currently cancelled. Regarding the consents given, it must be indicated that as stated in our database the processing of your data for commercial purposes was not initially consented in October 2017, and later this no was maintained. consent through the signature of the corresponding TDP dated August 18, 2018 through Bankia Online (BOL); all this according to documents nº2 and nº3 that accompany. Regarding the claims presented by this client, he addressed both to ***EMAIL.1, email address that appears in the contracts and in which the Interested parties can exercise their rights in relation to their data, such as the Office of the Data Protection Officer on February 6 and 7, 2019 respectively, requesting in both cases the retrocession of the charges for collections of commissions that had been made in your ON account on February 1, 2019. The answer to his claim was made from the office of the Delegate of Data Protection, dated February 22, 2019, informing you that the collection of commissions was due to the fact that, as established in his contract, on the date of collection of the same were not being fulfilled by the holders the requirements of the digital profile so in that period it was not appropriate to apply the bonus of certain commissions of the ON account contractually foreseen, among others the commission for maintenance and administration of the account and the credit card fee ON debit associated with it. In this sense, the client was offered the possibility of canceling said product and contract another of those that Bankia has available in its catalog and those that are not apply the conditions of the digital profile. Attached as documents No. 4 and No. 5 are the emails sent by the claimant and the replies to them sent from the Office of the DPD. Subsequently, on May 22, 2019, the claimant proceeded to the cancellation of the ON account at your branch, and filed a claim with the SAC reiterating the request for retrocession of the commissions generated and showing their C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 71/117 disagreement with the conditions of the aforementioned digital profile. On the occasion of said claim, dated May 24, 2019, Bankia proceeded to pay the claimed amounts. Attached as documents No. 6 and No. 7 claim received in the SAC and response to said claim sent to (claimant 2).” Regarding the claimant 3.- “It has been verified that you have an ON account and you have submitted several claims in relation to it, as detailed below. Regarding the consents given, it should be noted that as stated in our database the processing of data for commercial purposes is is on loan in November 2018, partially modifying these consents through the signing of the corresponding document "Modification of Treatment Authorizations” (“MTA”) on both February 23, 2019 and February 28, February 2019; all this according to documents nº8, nº9 and nº10 attached. Regarding the claims presented by this client, two Claims filed with the SAC in the months of November and December 2018, claiming the collection of commissions in the ON account for the respective months. As a result of this claim, said commissions were regularized, being the cause that gave rise to the regularization applied by the SAC the fact of not having located the contract signed with the client. Attached as documents No. 11, No. 12, No. 13 and No. 14 complaints received at the SAC and their response. The data protection delegate provides the following information about the Incidents and measures taken: The requirement itself transfers the facts that motivate the claims of the clients, which in extract are the following: “Obligation to accept as clients of the "Account ON" consent to the processing of your personal data, which appears as pre-marked or accepted and specifically, "the reception of advertising and the transfer of your personal data to third parties” to avoid charging commissions for the maintenance of said account. Based on what was transferred and once said extract had been analyzed, as well as the operation of the ON account in all its modalities and the collection process of consents, the following conclusions have been reached: There is no obligation to accept any consent on data processing in the contracting process of the ON account, having verified that any client can contract it without the provision of that consent prevent your hiring. - Something different is that the client complies with the conditions of the so-called "digital profile", which may mean that in certain products the Entity can apply a payment exemption, that is, an exclusion from the payment of certain commissions of the contracted products that have this type of profile and as long as the client maintains the same, as already explained. It which is justified based on the digital profile of the relationship between the client C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 72/117 and the Entity, and the advantage of making it more efficient through the use of digital media in commercial communications. - The process of managing consents by customers, which allows not only lend them freely and through any of the channels of the Entity, but also modify them at any time and as many times as the client wants in an agile and simple way, guarantees that said consent lend freely.” - It indicates that it has been sent on June 11, 2019, communication to the clients about this request for information in relation to claims transferred. A copy of these is attached as documents nº17, nº18 and nº19. Regarding claimant 4 “The claim is based on its non-compliance with the requirements for the fulfillment of the digital profile in relation to the ON Account. The complainant alleges that Bankia requires him to comply, among other requirements, with the assignment full of your personal data to be entitled to the commission bonus monthly fee of 5 euros contractually agreed. After receiving the aforementioned request, from the Office of the Delegate of Data Protection has proceeded to verify whether prior to contacting the AEPD, the claimant has initiated a claim for this fact before the Entity, either through through its management office or by contacting the Data Protection Delegate and Privacy or Customer Service. Once this check has been carried out, There is evidence of any claim initiated against Bankia by this client. As recorded in Bankia's systems, on July 20, 2018 the (claimant) gave their consent through Bankia Online by signing the document "Processing of Personal Data" (hereinafter, "TDP"). Copy of said document is attached as document nº1. These consents were partially modified, dated April 8, 2019, by the claimant through the same channel, proceeding in this case to the signature of the document “Modification of Treatment Authorizations” (hereinafter, “MTA”). I know I attach a copy of said document as document No. 2, in which they are granted positively all the consents and thus continue to the date of issuance of the present report. Regarding the claimant's assertion regarding the requirement of complete assignment of personal data for the exemption from the collection of the maintenance commission, there is to indicate that it has been verified that the fact that Bankia is consented or not processes your data for certain commercial purposes has not conditioned, in In no case, contracting the ON Account or any other product of the Entity by the claimant. Another thing is that it meets the conditions of the so-called "digital profile", which which means that Bankia can apply an exemption from payment of commissions, that is to say C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 73/117 an exclusion from the payment of certain commissions for those clients who have that type of profile and as long as it stays the same. Regarding claimant 5 “According to the Bankia systems, on June 16, 2015 the claimant gave his consents in a positive sense in an office of the Entity, for which it signed the document "Personal Data Processing" ("TDP"). A copy of said TDP is attached as document No. 1. These consents were modified by the claimant on January 22, 2019, through Bankia Online (BOL) by signing a new TDP document in which all the consents were negatively granted. Attached copy of said TDP as document nº2. Subsequently, these consents have been modified again and partially by the claimant on June 19 (on two occasions at 6:33 p.m. and 19:13), June 30 and July 11, 2019 through Bankia Online, proceeding to the signature of the corresponding documents of “Modification of Treatment Authorizations” (“MTA”). A copy of the corresponding MTA is attached as documents nº 3, 4, 5 and 6. Regarding the alleged violation of the claimant's right to object to receive personalized information about discounts, promotions and products financial, as well as the transfer of your personal data to companies of the group or collaborators, it must be indicated that the fact that the claimant has consented or no both treatments have not conditioned, in any case, the process of contracting the On Account or the exercise of their rights as an interested party. Bankia has fully complied with its right to object, insofar as it has been able to modify and can do so again through any of the channels of the entity, their consents (in the case of the claimant, in up to five occasions). A different thing is that the claimant complies with the conditions of the so-called "profile digital”, which means that Bankia can apply an exemption from payment of commissions, that is, an exclusion from the payment of certain agreed commissions contractually for those customers who meet that type of profile and during the long as it stays the same.” Regarding claimant 6: “The claimant contracted an On Account and on that same date, positively granted your consent by signing the corresponding document "Treatment of Personal Data” (hereinafter, “TDP”). A copy of the contract is attached. Account On as document no. 1 and a copy of the formalized TDP as document no. 2. These consents were subsequently updated and revoked by the claimant dated May 25, 2019, through Bankia Online, through the signature of a new TDP. A copy of said TDP is attached as document no. 3. Subsequently, the claimant partially modified his consents on days 3 and July 8, 2019, proceeding in these cases to the signing of the document "Modification C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 74/117 of Treatment Authorizations” (hereinafter, “MTA”). A copy of both is attached. documents as document nº4 and document nº5 respectively. Likewise, said brief concludes that “The conditions that must be fulfilled by the claimant as the holder of an On Account to have a digital profile are those that appear in the contract signed by the claimant on November 21, 2016, without been modified by Bankia at any time contrary to what is stated in the claim. Likewise, there is no obligation to accept any consent on the treatment of personal data in the process of contracting the On Account. A different thing is that the client complies with the conditions of the so-called "profile digital”, which may mean that in certain products the Entity may apply a payment exemption, that is, an exclusion from the payment of certain commissions of the contracted products that have this type of profile and provided that the client keep the same, as already exposed. What is justified on the basis of one's own digital profile of the relationship between the client and the Entity, and the advantage of doing more efficiently through the use of digital media in communications commercial. And in this sense, the claimant has been answered, providing a copy of said communication as document number 6”. Regarding claimant 7 dated 03/04/2021, a response is received from the entity claimed by providing, among other documents, the contract of the interested party in which It is clear that he had not given his consent to the conditions required for the exemption from commissions, and a letter from said entity to the interested party in which communicates that "as stated in your contract, the bonus of certain commissions of the ON Account, among others the commission of maintenance and administration, is subject to all holders maintaining a digital profile. No However, if any of the conditions of said profile are not met, your ON Account remains fully operational and you can continue to enjoy all the services associated with it, with the economic conditions and commissions and expenses applicable according to the contract. Also, inform you that as it went informed the Customer Service Department in the letter that was sent to him on the 8th of January 2020, in order to strengthen its relationship with the Entity, despite not complying with the conditions of the digital profile, Bankia has proceeded to pay the amounts charged for this reason.” THIRD: It is recorded in a letter from Bankia received by this Agency dated 03/19/19, in response to the request made by the Data Inspection within the framework of the investigative actions agreed upon by the Director of the Spanish Agency for Data Protection, on March 21, 2019, the following regarding the Privacy Policy: “The Privacy Policy that is applicable to the Entity, regarding the treatment of the data, is collected in the two documents that are related to below and that are provided as evidence of this first point to the present written: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 75/117 - The document called "Processing of personal data" (TDP), which is generated and signature in the registration process of each client and that contains all the required information by the regulations in relation to the processing of data derived from the relationship contract that exists at all times between the client and the Entity. The TDP is edited both in the registration of clients in branches and in the registration of clients through the channels at a distance available to the Entity (Bankia Online and App). - Bankia's "Privacy Policy" available at https://www.bankia.es/es/particulares/privacidad. This page contains the information legally required regarding the processing of personal data obtained through the websites and web tools owned by Bankia, not being applicable for those collected in the contracts that the user can formalize with the Entity, even if they are linked or related to the "channels of communication from Bankia”, since the provisions of this document will be applicable to said data. in the TDP as explained in the previous point.” It appears in the TDP document regarding the information on the conditions for the processing of personal data, provided by Bankia, both in the model that is generated in remote channels such as the one signed in the office (documents 1 and 2), which are collected, under the title "personal data", data related to the identification of the client, their contact information, marital status, number of children, date and province of birth, nationality and professional data. This document informs the interested party that the personal data requested by Bankia will be treated in in accordance with the basic data protection information described below, urging the interested party to read and understand it, before signing the document in which collects the consent request for the processing of your data. Said basic information states that the controller is BANKIA, S.A., briefly describe the purposes of data processing, the legitimacy In general, for such treatments, the recipients of the information, makes a brief reference to the rights that the interested party can exercise, and a reference to additional information that you can access through a link to a Web page. Next, the consent of the interested party is requested for different purposes, for each one of them must be marked yes or no: o -In a first block, consent is requested for the sending of commercial communications in the following terms: In point 1.1 refers to the sending of "commercial communications personalized through any channel (paper, electronic means, telematic, digital, etc.) about products, services, promotions or discounts from the financial sectors (banking, investment and insurance), real estate, cultural, travel, consumption and leisure based on your profile, drawn up from your personal data, the products you have contracted, as well as from the operations, movements or transactions associated with their products." In point 1.1.1 consent is requested “for the sending of personalized commercial communications about products, services, promotions or discounts of the sectors referenced based on their profile, prepared from your personal data and the products that He has contracts.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 76/117 In point 1.1.2 it refers to “the sending of commercial communications personalized about products, services, promotions or discounts of the referenced sectors based on their profile, drawn up from the operations, movements and transactions associated with their products". In point 1.1.3, the following options are differentiated for sending commercial communications to which, one by one, you can consent: ‐ Physical correspondence ‐ Electronic correspondence (email, ATMs, etc.) ‐ Mobile devices (instant messaging, push notifications, SMS, etc.) ‐ Telemarketing platforms - Social media ‐ Bankia and third party websites Point 1.2 refers to the consent for “the consultation of your data, for part of Bankia in the asset and/or credit solvency files, as well as as other similar sources of information, with the aim of offering you customized financing products.” In point 1.3, consent is requested to participate in programs loyalty, raffles, contests, surveys and social action programs or similar actions, as well as receive news and/or communications about the themselves through any channel (paper, electronic media, telematic, digital, etc.) Points 1.3.1 to 1.3.3 break down 3 different requests: to participate in loyalty programs, to participate in sweepstakes, contests and surveys and to participate in programs of social action or similar actions. o -In another block, consent is requested for the transfer of data to third parties. Point 2 requests consent for the transfer of your personal data for commercial purposes, based on your profile, to companies and companies subsidiaries of the Bankia group or collaborators, whose composition may consult in an updated way in a certain link that is indicated. In point 2.1, the transfer of your data to collaborators is requested so that they carry out commercial actions that fit their needs, based on your personal data, the products you have contracted, as well as from the operations, movements or transactions associated with its products. In point 2.2, the transfer of your data to companies or investees of the Bankia Group so that they carry out commercial actions that are in line with their needs, based on your personal data, the products you have contracted, as well as from the operations, movements or transactions associated with their products. You are informed about the possibility of revoking and modifying at any time the consents given and oppose the treatments based on the interest legitimate and to the exercise of the rights of access, rectification, deletion, opposition and limitation to the treatment and portability of the data. It is stated in the pre-contractual information of the “ON” account; of the debit card ON associated, from the “ON NOMINA” account, from the “ON NOMINA” card, from the “UN & DOS” and associated “UN & DOS” card (documents 8, 9, 10 and 11), in addition to the description of each product the specification of the administration commissions and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 77/117 maintenance of the account, as well as the associated card fees, transfers in euros, national and EU subject to regulation 260/2012, made by non-face-to-face channel and income from checks in euros payable on the market national will be free as long as all holders maintain a profile digital. The Digital Profile will be held when, among other stipulations, it is fulfilled that: - All cardholders have provided Bankia with their mobile phone number and email. - All holders have authorized Bankia, by subscribing to the Personal data processing document, equivalent document or corresponding contract, the processing of your personal data for sending of commercial communications through any communication channel enabled, including email and mobile phone. - All holders have authorized Bankia, by subscribing to the Personal data processing document, equivalent document or corresponding contract, the transfer of your personal data to companies of your group for the analysis of your profile for commercial purposes.” Said pre-contractual information details the commissions applicable to the different accounts, being the established commissions, coincident for all the accounts, the following: - Maintenance fee X EUR. Free if account holders have digital profile. - Administration commission (per note) X,XX EUR. Free if holders of The account has a digital profile. - With regard to the commissions of the different debit cards associated with the accounts mentioned above, are as follows, according to said information pre-contractual: - Registration fee XX € (free if all customers meet the digital profile). - For maintenance XX € (free if all customers meet the digital profile). Likewise, in the specific pre-contractual information of the ON credit card, indicates that it will accrue the following commissions: "XX € main card, in case of that the holders of the associated account do not maintain the digital profile and the first holder of the account keep the payroll or direct debit pension.” The ON Account contract model (document 12) contains the following commission exemption conditions ON Account and ON Debit cards associated with the same: “The commissions for maintenance and administration of the account, the fee for the ON Debit cards associated with it (maximum one card per holder), and the commissions on deposits of checks in euros payable in the national market and the of transfers in euros, national and EU, subject to regulation 260/2012, made by non-face-to-face channel and for any amount, will be exempt, and will not will apply provided that all account holders comply with the following requirements: (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 78/117 Have authorized Bankia, by signing the document of Treatment of Personal data, equivalent document or corresponding contract, the processing of your personal data for sending commercial communications by any communication channel enabled, including email and telephone mobile, as well as the transfer of your personal data to companies of its group for the analysis of your profile for commercial purposes. - (…) Bankia will periodically control compliance with the requirements indicated above and, in case of detecting that any of them is not fulfilled, it will be application automatically, both to the account and to the debit cards associates, the particular standard conditions of the same collected in the this contract.” In the contract model Account ONE & TWO (document 14) they appear identical Commission exemption conditions for the UN & DOS Account and UN Debit cards &DOS associated with it. Likewise, in the ON Account Contract model PAYROLL ON Debit cards and ON Payroll Credit cards associated with it, (document 13) the above requirements are required in the same terms transcribed, as well as its periodic control and the consequences of non-compliance. FOURTH: It is recorded in the minutes of the Inspection visit carried out in the establishment of Bankia dated 12/12/2109, which the representatives of said entity state, to questions from the inspectors, the following: Regarding the so-called digital profile As indicated, by maintaining the digital profile, the customer of ON products from BANKIA benefits from a series of commission bonuses. As stated in the specific informative documents (IPE – Information Specific contractual) of the ON products, such as the ON ACCOUNT and DEBIT CARD ON, the digital profile is displayed when: - “All operations carried out with the account and the card are carried out through of the remote channels available to Bankia at any given time (Bankia Online, Bankia APP, Telephone Office, ATMs, …). - All holders have registered the Bankia Correspondence Service Online, not receiving communications from Bankia on paper. - All cardholders have provided Bankia with their mobile phone number and email electronic. - They have accepted and activated the PUSH messaging service through the App Bankia.” The fourth condition to hold the digital profile, related to the messaging service PUSH, has been added since 12/15/2019 for new hires of products ON, while removing the following conditions: - “All holders have authorized Bankia, by subscribing the Personal data processing document, equivalent document or contract corresponding, the treatment of your personal data for the sending of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 79/117 commercial communications through any enabled communication channel, including email and mobile phone. - All holders have authorized Bankia, by subscribing to the Personal data processing document, equivalent document or contract corresponding, the transfer of your personal data to companies of its group for the analysis of your profile for commercial purposes.” For customers who already had a product ON the new conditions will apply from February 16, that is, after two months have elapsed since they were communicates this contractual modification, having sent the communications on last December 15. Indicates that the two indicated conditions have been removed in the new contracts, and although they would be contractually provided for customers pre-existing until the mentioned modifications communicated are effective on February 16, BANKIA does not take these two conditions into account for the purposes of discount or not commissions since last October 16. Regarding consent BANKIA, for those treatments whose legal basis is consent, has of a system that allows the collection, modification and management of these consents, as well as the traceability of the modifications made, called General Consent Module. This Module also registers the exercises of rights of the clients and allows to take its centralized management. The list of consents is structured in three main blocks with the following associated purposes: - Sending commercial communications - Participation in loyalty programs, raffles, social action and others Similar. - Transfer of data to third parties. The consents thus constitute a numbered multilevel list in such a way that the more general consents are at a higher numbering level and specific ones at a lower level. In this way, consent is granted or not. in a general way, for example, to send commercial communications, and in a specific to each channel through which communications can be received. The consents are recorded in a document called Treatments of Personal Data (TDP) that includes customer data protection information. This document is always signed by the client during the registration process, prior to contracting any product, both through online banking (with signature code) or in person at the office, on a Tablet that is provided (digital tablet that It is also used to collect the signing of contracts and operations transactions executed by any client). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 80/117 When the consents are modified, they are recorded in a document similarly called Modification Treatment Authorizations (MTA). This document It is also signed by the client. BANKIA reformed and updated the list of consents on the occasion of the entry into force of the RGPD in May 2018 and sent a communication to all customers reporting the entry into force of the new Regulation, initiating a new process consent collection. When the new list of consents was put into operation due to a incident in the online channel that required adaptations to the systems (affected only to ON account customers contracted through the online channel) between July 8 and On August 15, 2018, the consents were shown pre-marked, in a state of acceptance (“consent”), for new customers. That is, when a new customer was registered through the online channel, the consents were pre-marked during the registration process, not occurring in office registrations. Also, for existing customers, during this period, new consents (which did not exist previously on which therefore the client does not had expressed) were marked with an acceptance status, but the consents pre-existing ones on which they had already expressed their authorization or refusal they were in the state that the client had decided. As of August 16, 2018, pre-marked consents in a state of acceptance or "consent" (green color in the application) are shown to "no I consent” (red color), and finally passed to the status of “not collected” (gray color) in February 2019. Statistics: The consents of some 5,842,000 clients of the 8,281,000 that the entity has at the moment. The missing customers answer constitute 29%, they correspond to inactive clients, and their consents are unchecked. However, for any treatment these consents are considered in a “no” state to prevent their use. Of those who have answered, 89% have accepted all the consents, 7.5% They answered partially accepting, and 3.2% answered “no” to all of them. I consent”. The number of customers who passed the registration process in the period between on 07/08/2018 and 08/15/2018 (ON products through the online channel), are a total of 2,562 (of which 2,192 are still active and 270 have been cancelled). of the clients who are still active 38 have subsequently modified consents. For all these reasons, there are 2,154 active clients who gave their consent pre-marked and have not subsequently modified them, accounting for 0.16% of the total number of consents given by online banking and 0.03% of the total consents collected from the total number of clients that appear in the BANKIA database. Currently, and since before 05/25/2018, when a new client registers at BANKIA, both online and at the branch, you must fill in the consents C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 81/117 generating the aforementioned document called Data Processing Personal (TDP), who signs. It is not possible to continue the registration of the client without the signature of said document. The consents are unmarked (in gray), having to mark the client's decision to consent or not. All BANKIA employees can check customer consent on-line, as well as the changes that the clients have made and the documents of signed consents. There is also traceability of the consents prior to the RGPD. It is recorded that the Agency's inspectors carried out the following checks after requesting access to the Consent Management Module: - It is accessed by means of a BANKIA employee user code and password to the data of the consents provided by one of the people present in the room, client of the entity, verifying that the document of Treatment of Personal Data (TPD) dated May 21, 2018. It is accessed also to the modifications made later on the consents (MTA documents) as well as the current status of consents. Regarding data transfers. Although the consent of customers has been requested, BANKIA has not transferred its personal data neither to the companies of the group nor to other collaborating entities based on these general consents of the TDP nor is there any provision for it. The consents for assignments were requested as a general measure. In case of If an assignment is made, specific consent would again be requested from customers involved. Attached to the inspection certificate is a copy of the specific consent requested for the UNI&DOS account for the entity ***ENTITY.1 (for preparation of wedding list). This specific consent does not constitute a legal necessity since it is counted with the general consent obtained. However, BANKIA has considered obtain a specific consent for ethical commitment with its clients. In addition, in the event of a transfer in the future, the project would become informed by the Office of the DPO, which would study and apply both the criteria for regulatory compliance such as ethics, taking the appropriate measures to the case concrete that arises. There is no link or published document that contains the list of companies collaborators since there is none to which data is transferred based on the general consent obtained through the TDP. The assignments that are made are carried out by means of ad hoc consent of the clients involved. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 82/117 FIFTH: Contained in the response received at this Agency on June 19, 2020, in response to the request made by the Data Inspectorate regarding the customers who completed the process of registering ON products through the online channel in the period between 08(07/2018 and 08/15/2018, period during the which the consents were pre-marked in said channel that, of the 2,562 customers who registered an On account through Bankia Online in the indicated period, as of June 9, 2020, a total of 2,171 clients. The remaining 391 clients have ceased to have positions active with Bankia, and therefore are no longer clients of the entity. Also, of these 2,171 clients, 1,359 clients have modified their consents at least once dated after 08/15/2018 and the remaining 812 clients have not modified it in no occasion since they were lent at the time of registration of the On account. It is also stated in the response to the request made by the Inspection that following: These 812 customers represent 0.06% of the total number of On account holders and the 0.009% of all Bankia customers. These are On accounts without movements or any significant activity in recent months or, in many cases, with balances in refusal to regularize, having tried to contact the holders in several occasions without it having been achieved. A communication was made to all of them in December 2019, informing them of the modification of the conditions for the fulfillment of the digital profile by which As of February 2020, they ceased to be a condition to meet said profile, and therefore to benefit from the commission exemption, those related to having authorized Bankia, by signing the Personal Data Processing document, equivalent document or corresponding contract, the processing of your data personal information for sending commercial communications through any communication channel. communication enabled, including email and mobile phone and having authorized to Bankia, by signing the Data Processing document Personal, equivalent document or corresponding contract, the transfer of your data to companies in your group for the analysis of your profile for commercial purposes. However, due to a commercial decision of the Entity as of September 16, 2019 the authorization for the transfer of data to group companies was not considered as a necessary requirement to fulfill the digital profile for the purposes of exemption or collection of commissions. The 812 clients who have not modified their consents or have withdrawn from the entity, have been the object of any commercial action through email or SMS. These actions have been developed in the period between August 2018 (registration date) and April 2020 (in May the contact process began and new collection of consents from these clients that is explained in the following section, marking their consents as denied until they are collected again). Regarding the actions to be carried out with said group to obtain their consents without pre-selected options, the following have been adopted: Consent has been requested again from customers who do not have modified them, taking advantage of the first interaction with the entity by C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 83/117 any of the enabled channels (branch, Bankia Online or Bankia App). This obtaining of the new consents, from a neutral position to the option of acceptance or non-acceptance that in each case is chosen by the interested party for each of the requested consents, it has been configured as a necessary step to be able to continue the operation by any of the channels. Those clients who have not passed this process have been considered as customers who have not given their consent to the entity regardless of the meaning of the consents they gave in the account registration process On, and have been marked in systems as if all consents were refused. All On account holders were informed, in December 2019, of the change of conditions of the digital profile, and the elimination of the requirements of have authorized the sending of commercial communications and the transfer of data for the purpose of charging or exempting commissions. Contact has been made by telephone (through the corresponding managers) with customers who have not modified consents; in the case of 812 clients who have not yet gone through the process, although attempts have been made contacting them on several occasions, the result has been unsuccessful. The process of canceling those accounts that are inactive and without activity in recent months. SIXTH: It is in writing with entry in this Agency on June 11, 2109 the following information about clients who have contracted the ON accounts: As of May 31, 2019: Product ON Total Clients ON Payroll Account 27,700 Count One & Two 1,178 Account ON 1,168,122 Information on the consents given by the holders of the On a accounts date May 31, 2019: account Number of clients Advertising Cession of Advertising Cession of (YES) Data (YES) (NO) Data (NO) ON Payroll 27700 26896 26896 804 804 One & Two 1178 1134 1119 44 59 ON 1168122 937942 924662 23180 243460 It is stated in writing received by this Agency on June 19, 2020 that the total number of customers with ON products as of June 9, 2020 (holders/co-holders) was 1,256,352 clients (653,463 accounts). It is stated in the letter of June 19, 2020 that the total amount of commissions collected during 2019 from On account holders who have not met any of the conditions of the digital profile was €2,367,954.32 according to the following breakdown: Administration fee: €27,074.59. Maintenance / Inactivity: €297,633.91. Maintenance commission: €2,043,245.91. Total: €2,367,954.32. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 84/117 Regarding the 812 clients whose consents were pre-marked and not have modified their consents or have withdrawn from the entity, only commission has been accrued in the case of 2 clients being the global annual amount charged for this concept to each of the two clients of five (5) euros. One has to highlight that the collection could have been produced by the non-compliance, in the period monthly settlement, of any of the conditions of the digital profile, sufficing that one of them is breached so that the exemption from the commissions does not proceed, for example, use the physical office channel, request to receive communications on paper, etc.… It is stated in the same document that the total amount of discounted commissions (not collected) in 2019 from On account holders was €32,110,990 in accordance with following breakdown: Accounts opened before 2019: €22,101,900. Accounts opened in 2019: €10,009,090. Total: €32,110,990. It is also stated that compliance with the conditions of the digital profile that gives rise to in the On accounts to the application of the commission exemption, it is not linked to the need to have a certain amount of annual or monthly income. Consequently, On account holders do not have to declare certain income to open the account or to fulfill the conditions of the digital profile. Regarding Bankia's total annual global turnover in the financial year 2019, it is stated in the document sent on June 19, 2020 that the net margin before provisions is 1,428 million euros, according to the information collected in the 2019 Annual Results Report published on the entity's website. the volume of business of the Caixabank group in 2020, according to the information contained in the annual accounts published on its website by said entity is 12,172 million of euros. SEVENTH: The BANKIA website informs the user of that website that the merger by absorption of Bankia, S.A. has taken place. by CaixaBank, S.A., succeeding the second entity to the first, universally in all rights and obligations. It is recorded in the Mercantile Registry in the data relating to the entity BANKIA, S.A, the following observation “Extinction”. It is also stated that “on September 18 2020, on the corporate website of BANKIA, S.A. www.bankia.com has been insert the common merger project between the companies CaixaBank, S.A. - absorbent- and BANKIA, S.A.-absorbed-.” FOUNDATIONS OF LAW I The Director of the Agency is competent to initiate and resolve this procedure. Spanish Data Protection, in accordance with the provisions of art. 58.2 of the of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Natural Persons with regard to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 85/117 Treatment of Personal Data and the Free Circulation of these Data (Regulation General Data Protection, hereinafter RGPD) and in art. 47 and 48.1 of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD). Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II Previously, it is considered appropriate to analyze the formal issues raised by CAIXABANK S.A. (hereinafter CAIXABANK) in its pleadings brief. In the first place, CAIXABANK considers that the start-up agreement is vitiated by nullity due to the defenselessness produced by setting the amount of the sanction in the opening agreement, instead of expressing only the limits of the possible sanction, and without the aggravating circumstances having been motivated or the entity having had an opportunity to speak out about it. For this same circumstance, consider that the initial agreement exceeds the legally foreseen content, violating the article 68 of the LOPDGDD, and understands that the impartiality of the examining body has been affected, knows before starting the procedure the criterion of the body to which it must raise the file, in a clear breach of the principle of separation of the investigative phase and sanction (article 63.1 of the LPACAP). In this regard, CAIXABANK adds that article 85 of the LPACAP, which is invoked in the operative part of the agreement to initiate the procedure to specify the reductions that acknowledgment of responsibility entails, determines that the amount of the pecuniary sanction may be determined “once the proceeding sanctioning” and that is only applicable to cases that give rise to the imposition of a fixed and objective fine. This Agency does not share the position expressed by CAIXABANK in relation to the content of the opening agreement of this sanctioning procedure. In the opinion of this Agency, the start-up agreement issued is in accordance with the provisions of article 68 of the LOPDGDD, according to which it will suffice that the agreement to initiate the procedure specify the facts that motivate the opening, identify the person or entity against the which the procedure is directed, the infraction that could have been committed and its possible sanction (in this case, of the different corrective powers contemplated in article 58.2 of the RGPD, the Agency considered the imposition of a fine to be appropriate, without prejudice to what may result from the instruction of the procedure). In the same sense, article 64.2 of the LPACAP is expressed, which establishes expressly the minimum content of initiation agreement. According to this precept, among other details, it must contain “the facts that motivate the initiation of the procedure, its possible legal qualification and the sanctions that could correspond, without prejudice to what results from the investigation”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 86/117 In this case, not only are the requirements mentioned amply fulfilled, but that goes further by offering reasoning that justifies the possible qualification of the facts valued at the beginning and, even, the circumstances are mentioned that may influence the determination of the sanction. In accordance with the above, it cannot be said that pointing out the possible sanction that could correspond for the imputed infractions is determinant of defenselessness or that supposes a rupture of the principle of separation of the phases of investigation and resolution. On the contrary, this fulfills one of the requirements laid down in the standards outlined. Likewise, it cannot be forgotten that article 85 of the LPACAP contemplates the possibility of applying reductions on the amount of the sanction in case the offender acknowledges its responsibility and in case of voluntary payment of the penalty. East This provision establishes the obligation to determine these reductions in the notification of initiation of the procedure, which entails the need to set the amount of the sanction corresponding to the imputed acts. Contrary to what CAIXABANK pointed out, this article 85 of the LPACAP does not establishes that the amount of the penalty is determined once the procedure has been initiated. It is the acknowledgment of responsibility and the voluntary payment of the penalty that has to occur after that time, and not the fixing of the amount of the sanction, as stated by CAIXABANK. Likewise, CAIXABANK understands, in accordance with the provisions of article 85.3 of the LPACAP that reductions should be adopted on the proposed sanction. This Agency cannot share this argument. It suffices to point out that the voluntary payment can be done by the interested party at any time during the procedure prior to the resolution and implies its termination. Thus, so that the interested party can make Using this option, the amount of the penalty must be established at the beginning. Of the same form, it will be difficult for said interested party to recognize his responsibility initiated a sanctioning procedure if the agreement that determines that beginning does not indicate the scope to be attributed to that acknowledgment of responsibility. The provision contained in article 85 of the LPACAP is established by the legislator in order to stimulate the acknowledgment of liability or voluntary payment. sanction, thus quickly resolving the conflict with the Administration tion and avoiding being subjected to a sanctioning procedure any longer. By For this, it is essential that the amount of the sanction is perfectly individualized already in the agreement to initiate the sanctioning procedure (articles 64 and 85.3 of the LPACAP), resulting, otherwise, its payment impossible until the proposal decision, final action of the examining body, which may cause clear damage ro to the claimed party. The criterion of the AEPD has been endorsed by the National High Court, as well as the SAN of 03/22/2019, (rec. 625/2017) in its fourth foundation states: “We must start from the fact that the object of this contentious-administrative appeal is a resolution issued under art. 85 of Law 39/2015, of October 1, of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 87/117 Common Administrative Procedure of Public Administrations, which provides: "1. Started a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature, but the inadmissibility of the second, the voluntary payment by the alleged perpetrator, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3.In both cases, when the sanction is solely pecuniary in nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or recourse against the sanction. The reduction percentage provided for in this section may be increased regulations". In accordance with the aforementioned precept, reductions in sanctions of at least 20%, as is the case at hand, must be determined in the notification of initiation of the procedure, as stated in the resolution of 26 April 2017, outlined in the preceding Legal Basis. For him appellant as a result of the resolution proposal, the amount of the sanctions was paid with the reduction of 20%, urging in the request of the brief presented on October 3 of 2017, that the voluntary payment was considered made, in a timely manner, and proceed to terminate the procedure. On the other hand, in order to proceed with the 20% reduction of the sanctions that have been carried out, it is conditioned to the withdrawal or resignation of any administrative action or recourse against the sanction. Well, the voluntary payment by the appellant with the reduction of 20% of the amount sanctions, implies the waiver of any action or resource in administrative in relation to the imputed facts, and therefore, benefits from said reduction, since that, otherwise, the procedure would have continued its course, having been able to end with the imposition of the amount of the sanctions foreseen in the proposal of resolution. Consequently, it is appropriate to dismiss this contentious-administrative appeal, without it being necessary to go into the grounds for objection adduced in the lawsuit in relation to the imputed infractions.” (emphasis ours) In this same sense, the SAN of 10/15/2019, (rec. 601/2017) in its foundation of fourth right declares that "The challenged Resolution, by which the Director of the Spanish Agency for Data Protection put an end to the sanctioning procedure PS / 00370/2017, ends the procedure for voluntary payment of the sanctioned, in application of article 85 of Law 39/2015, of October 1, whose application had C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 88/117 expressly requested by the plaintiff bank in a letter dated September 6 2017, after being notified of the agreement to initiate the procedure, and acknowledged its responsibility in the facts that caused the opening of the procedure and desisted and waived any administrative action or recourse against the sanction imposed. In this way, it benefited from the two reductions provided for in article 85 cited, that is, that is, by acknowledgment of their responsibility and by voluntary payment within the term legally provided, so that the penalty indicated in the initial agreement (20,000 euros) was set at 12,000 euros, which were paid by the bank. Article 85 of Law 39/2015, provides that: "1. Initiated a procedure sanctioning party, if the offender acknowledges his responsibility, the procedure with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature, but the inadmissibility of the second, the voluntary payment by the alleged perpetrator, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3.In both cases, when the sanction is solely pecuniary in nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or recourse against the sanction. The reduction percentage provided for in this section may be increased regulations". In the judgment of this Chamber of March 19, 2019 (R. 625/2017), in a case Similarly, it was considered that: "[...] In accordance with the aforementioned precept, the reductions of the penalties of at least 20%, as is the case at hand, must be determined in the notification of initiation of the procedure, as It is recorded in the resolution of April 26, 2017, outlined in the Basis of precedent law. By the appellant as a result of the resolution proposal, it was paid the amount of the sanctions with the reduction of 20%, urging in the plea of the writing presented on October 3, 2017, that the voluntary payment was considered made, in time and form, and proceed to terminate the procedure. On the other hand, in order to proceed with the 20% reduction of the sanctions that have been carried out, it is conditioned to the withdrawal or resignation of any administrative action or recourse against the sanction. Well, the voluntary payment by the appellant with the reduction of 20% of the amount sanctions, implies the waiver of any action or resource in administrative in relation to the imputed facts, and therefore, benefits from said reduction, since that, otherwise, the procedure would have continued its course, having been able to end with the imposition of the amount of the sanctions foreseen in the proposal of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 89/117 resolution. Consequently, the present contentious appeal must be dismissed. administrative, without it being necessary to go into the reasons for challenging adduced in the application in relation to the imputed infractions [...]». It is now appropriate to resolve in the same direction since all the circumstances required in article 85 cited, which contemplates a specific form of termination of sanctioning procedures: determination of possible reductions in the notification of the start of the procedure, acknowledgment of responsibility and payment voluntary in term, as well as resignation of actions or resources in administrative against the sanction. (the underlining is from the AEPD) CAIXABANK alleges that the defenselessness that has been generated by the actions of the AEPD in this case could not be considered corrected by the fact that the same has been able to make objections to the initial agreement. And this is so because the mere The fact of its formulation implies an increase in the amount that would be forced to satisfy, since the AEPD does not recognize the defendant the possibility of exercising the option contained in article 85.1 of the LPACAP (that is, to admit his fault in any moment of the procedure) in the event that it has issued arguments to the start agreement. Understands that the consequence of everything indicated is that there is a radical defect in the processing of this sanctioning file, derived from a interpretation contrary to the Constitution of articles 64 and 85 of the LPACAP, which affects the nullity of the procedure, having violated the rights of CAIXABANK, as established in article 47.1 a) of the LPACAP. This Agency cannot share such an argument, the interpretation made by the AEPD of the provisions of article 85 of Law 39/2015 is strictly adjusted to the provisions in said norm and the jurisprudence applicable to it, without being able to cross out said interpretation of unconstitutional. The fundamental right to freedom is not violated effective judicial protection, which the interested party may exercise in any case, but said provision provides for two reductions, one for acknowledgment of responsibility and another for voluntary payment within the stipulated period. As long as there is no acknowledgment of responsibility, defending the interested party the legality of his action against the agreement to initiate the procedure, said reduction in the motion for a resolution which, however, leaves open the possibility of a payment voluntary. This is reflected in the judgment of the TS of 02/18/2021 precisely in a cassation appeal, against the judgment of the National High Court regarding the resolution issued by the Director of the AEPD regarding the termination procedure for payment volunteer of a sanction for infraction of the LOPD by pointing out that: "In this way, benefited from the two reductions provided for in article 85 cited, that is, for acknowledgment of their responsibility and for voluntary payment within the stipulated term legally,(…)" On the other hand, and with regard to the violation of the principle of judicial protection effective, there is no place here but to bring up what was stated in the Judgment of the Court Supreme Court of February 18, 2021, previously partially transcribed. The Court declares Supreme in its fourth foundation that “(…) i) Rejected the previous allegation, must also be rejected the invocation that the recurrent effect of the STC no. 76/1990 to justify that the Trial Chamber has violated his right to effective judicial protection by refusing his contentious appeal- administrative. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 90/117 As we have said, the Court of First Instance did not inadmit the appeal, but rather dismissed But it is that, in addition, at this point we must specify that the STC no. 76/1990, which the appellant invokes in support of its claims, rejected that the Article 89.2 of Law 10/1985, of April 26, partially modifying the Law General Tributaria entail a violation of the right to effective judicial protection for requiring, for the ex gratia forgiveness of tax debts, that the subjects offenders or responsible expressly renounce the exercise of any action of objection, establishing the following to that effect: " B) With a text that does not substantially differ from the previous wording, art. 89.2 prescribes the waiver of the exercise of any challenge action in order to request the ex gratia forgiveness of the tax penalty; With this, the legislator intends to speed up and make the collection of tax debts more flexible, it being understood that the remission it affects only the sanction and not the rest of the tax debt. But from the perspective of the responsible subject, it is clear that this abstention in the exercise of challenges does not imply a waiver of the right to effective judicial protection, which would in itself be itself unconstitutional, given the inalienable and unavailable nature of this right fundamental, but simply to the use of such right and the actions in which it is manifested for a period of time and in relation to a specific administrative act. And the reason for such renunciation is similar to that of the assumption previously examined, since here it is also about obtaining a benefit to which one has no right - the ex gratia remission of the sanction - for which purpose it is necessary to satisfy the of the prior waiver to challenge the liquidation made. To the extent that such sacrifice is not disproportionate, it is freely adopted by the interested party and with the itself an ex-gratia benefit is obtained, which is the one that best suits the interests of the petitioner for the remission, there is no violation of a fundamental right any. This Court has declared that, although fundamental rights are permanent and imprescriptible, this is perfectly compatible with the establishment of limits temporary within the legal system for the exercise of the corresponding actions (STC 7/1983, legal basis 3rd). If the imprescriptibility of rights fundamental is not an obstacle to the temporary nature of the actions for their defense, the inalienability of such rights does not prevent the voluntary and transitory renunciation of the exercise of actions in pursuit of ex-gratia benefits whose eventual achievement is for the interested party more advantageous than the one that could result of that exercise. Secondly, it considers that CAIXABANK has been left defenseless in the processing of the procedure, which determines its nullity. It states in the allegations to the Agreement to Initiate the procedure that the file It has only been transferred to CAIXABANK on May 27, 2021, when There were only two working days left for the formulation of allegations, without even even agree on the aforementioned date the extension of the term for its formulation for five days from receipt of the file, given that on the same date clarified that the requested extension period began to be computed on the 24th of May, that is, 3 days before receipt of the file. Consider that in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 91/117 In practice, the issuance of pleadings has been reduced to a period of two working days, which which creates a situation of absolute defenselessness. It should be indicated here that the startup agreement is notified to CAIXABANK by means emails on May 7, 2021, the notification dated May 10, 2021 being accepted of May 2021 and that it is not until May 18 of the same month in which it has entry into this Agency written by the protection delegate, stating to act in name and representation of CAIXABANK by virtue of its capacity as Delegate of Data Protection, in which you request a copy of the sanctioning file and extension of the term to formulate allegations. Taking into account that the appointment as a data protection delegate by an entity not entails that of representative of the same and that was not accredited in the file that CAIXABANK's data protection delegate held the condition of representative of the same, it was required, on May 24, to said entity, to accredit said representation, which it carried out on the 26th of May 2021. On the same day, May 26, 2021, the submission of the file, stating that it was received by CAISABANK the same day. In the same date it was agreed to extend the deadline for allegations up to the maximum legal deadline permitted in article 32 of the LPACAP. In the opinion of this Agency, it cannot be understood here that CAIXABANK has been produced any defenselessness, insofar as he was able to request an extension of the term and a copy of the file from the same day of the notification of the same, however, I do not make such requests until more than half of the period for had for it. Likewise, when he made said requests, the representation held by the person claiming to act on behalf of said entity, which forced to correct said omission and delayed the delivery of the documentation. On the other hand, the extension of the term was carried out in the terms established by article 32 of the LPACAP, agreeing to extend the term legal up to the maximum permitted in said precept. It must also be taken into account account that nothing prevented him from making new allegations under the provisions of the article 76 of the same Law, which it has not done. In this regard, it should also be taken into account that the Judgment of the Court Supreme of October 11, 2012 appeal no. 408/2010 states the following: “(…) No defenselessness occurs for these purposes if the interested party has been able to allege and prove in the file as much as it has considered appropriate in defense of its rights and position assumed, as well as appeal for replacement, a doctrine that is based on article 24.1 CE, if it made the allegations it deemed appropriate within the file" (S.T.S. 27 of February 1991), "if he exercised, finally, all the appropriate resources, both the administrative as well as jurisdictional" (S.TS. of July 20, 1992). Therefore, "if the interested in administrative or contentious-administrative appeals has had the opportunity to defend themselves and assert their points of view, it can be understood that the omission has been corrected and it becomes insignificant for the real interests of the recurrent and for the objectivity of the control of the Administration, making compatible the constitutional prohibition of defenselessness with the advantages of the principle of economy process that complements the first without opposing it at all and that excludes useless procedural actions for the purposes of the procedure" (SS.TS. of 6 of July 1988 and June 17, 1991).” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 92/117 In this same sense declares the STC 78/1999, of April 26, in its Foundation Juridical 2: "Thus, according to reiterated constitutional doctrine that is synthesized in the 3rd legal basis of the STC 62/1998, "the estimation of an appeal for protection by the existence of breaches of procedural rules 'does not simply result from the assessment of the eventual violation of the right due to the existence of a defect procedural more or less serious, but it is necessary to prove the effective concurrence of a state of material or real defenselessness' (STC 126/1991, legal basis 5º; STC 290/1993, legal basis 4º). So that a helplessness can be estimated with constitutional relevance, which places the interested party outside any possibility of claim and defend their rights in the process, a violation is not enough merely formal, being necessary that a formal effect be derived from this formal infringement. defenseless material, an effective and real impairment of the right of defense (STC 149/1998, legal basis 3), with the consequent real and effective damage to the affected stakeholders (SSTC 155/1988, legal basis 4, and 112/1989, 2nd legal basis). Regarding the alleged artificial extension of the investigation phase in the present procedure, this Agency cannot share the allegations of CAIXABANK. This Agency understands that contrary to what is indicated by CAIXABANK has complied with the provisions of articles 64 and 65 of the LOPDGDD, without being considered, as stated in the allegations to the agreement to initiate this proceeding, that the claim filed on the date February 13, 2019, has been admitted with the agreement to initiate an investigation of date February 21. Said agreement, as it results from the actual documentation in the file, does not take such claim into consideration but rather has its origin in the analysis carried out by the audit unit of the General Subdirectorate of Inspection having had knowledge of the characteristics of the ON account. With regard to the various complaints that were received throughout the processing of the file, it has proceeded in accordance with the provisions of article 65.3 of the LOPDGDD giving transfer to the data protection delegate, for the purposes of resolve on the admission to processing of the claim, a procedure that although it has optional character for the AEPD, comes to suppose a guarantee for the claimed, to the that he is given the opportunity to present the reasons for his actions in the face of the claim made and, where appropriate, the corrective measures adopted aimed at to put an end to a possible breach of data protection legislation, with character prior to admission or not for processing. The fact that the claims deal with similar facts and that there was an ongoing investigation does not determine that such claims "were admitted for processing from the agreement of initiation of investigative actions” as stated by CAIXABANK. The transfer of each of the claims received to the claimed party is not, in consequently, a merely bureaucratic process, as CAIXABANK alleges, ensuring that whatever your answer in relation to the aforementioned claims, the facts to which they referred were already being investigation by the AEPD. On the contrary, this Agency understands that such actions were pertinent, allowing CAIXABANK to express the reality or not of the claimed facts, so that your answer would come to determine the incorporation or not of such claim to the initiated file. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 93/117 Said entity also affirms that the AEPD denies any relevance to the agreements of admission for processing, since they do not display any effect in the terms provided in the article 64 of the LOPDGDD, since they do not determine the performance of actions investigators nor the opening of any sanctioning procedure. This allegation cannot be admitted either, in this proceeding the initiation of an initial agreement adopted on its own initiative, as provided for in article 64.2 LOPDGDD, with a successive series of claims, these having been dealt with in accordance with the provisions of article 65, giving transfer to the claimed and incorporating the same, once received a response that in the opinion of this Agency determined its admission for processing, for reasons of procedural economy to another procedure in course, avoiding the opening of successive procedures and the progressive accumulation thereof. Likewise, this Agency understands that it was necessary to carry out new actions Regarding the facts known as a result of the inspection carried out, relating to the absence of consent, which determined a new requirement to said entity to determine the concurrent elements in such treatments. On the alleged artificial extension of the procedure, Caixabank invokes the doctrine seated by the National High Court (AN) in its Judgment of 10/17/2007 (appeal 180/2006), in which it highlighted the illegality of the inappropriate extension or unfounded from previous investigative actions. This Judgment refers to a course processed by the AEPD in which the previous investigation actions are remained inactive for almost eleven months, when the entity in question had responded to the request for information in the first two months of processing the these actions. The National High Court concluded that there was a “[…] Fraudulent use of the institution of preliminary investigations. we are in consequence in the event of fraud of the Law contemplated in article 6.4 of the Civil Code, since it is intended to circumvent the application of Art. 42.2 of the Law 30/1992 using the request for information to, with it, avoid the expiration of the disciplinary record”. It is necessary to specify that the National High Court modified this criterion based on the Judgment of 11/19/2008 (appeal 90/2008). As stated in the proposal of resolution the criterion of the judgment of 10/17/2007 alleged by CAIXABANK came referring to investigative actions carried out at a time when there was no a term fixed by any norm to carry out the same, while the Law 30/1992 in force at that time did not do so, as the current Law 39/2015 does not. The Regulations for the development of Organic Law 15/1999, of December 13, of protection of personal data, approved by Royal Decree 1720/2007, of December 21, established in its article 122 a maximum duration of twelve months to carry out the same, just as the current LOPDGDD does. CAIXABANK's allegations that the Judgment of 11/19/2008 did not modified the criteria of the judgment cited by said entity as it considered erroneous said doctrine but in other reasons exposed in the same and that determine its application, that is, that the delay produced in the processing of the actions prior notices had not been due to fraudulent intent to prevent expiration of the sanctioning file but to a significant increase in the work to be carried out by the works of the AEPD that justified the same, omit that said Judgment indicated C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 94/117 also "Reasons that mean that the previous doctrine of the Chamber cannot be appraised in the case, to which the maximum period of twelve months of duration that article 122 of RD 1720/2007, of December 21, provides at present for said "prior actions", taking into consideration that such regulatory standard is only applicable to actions initiated after its entry into force (that is, as of April 19, 2008).” (the underlining is from the AEPD). This Agency thus considers that the doctrine established in the Judgment of 10/17/2007 has been passed, as there is a rule that sets the deadline during the which the AEPD can carry out investigative actions. On the other hand, the same judgment invoked by CAIXABANK refers to the consequences that the paralysis of the file had and that supposedly tried, in fraud of law to avoid, which are none other than the expiration of the sanction file. In the same way, article 122.4 Regulation of development of Organic Law 15/1999, of December 13, indicated the same Consequently, the expiration of the previous actions once the term of twelve months to carry them out without the agreement having been issued and notified initiation of the sanctioning procedure. The requirements and effects of expiration are established in article 95 of Law 39/2015, in its article 95, precept that allows not only the initiation of a new procedure when there has been no produced the prescription, but even makes it possible in its number four that the The same is not applicable in the event that the issue raised affects the interest general or it is convenient to substantiate it for its definition and clarification. CAIXABANK alleges that the special rule applicable to the actions of the AEPD, this is, the LOPDGDD provides in its article 67 that investigation actions "do not may have a duration of more than 12 months” and that this rule is the only applicable to the procedure, since not only Law 39/2015 is not applicable by be only of subsidiary application, but article 63.2 provides that "the procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they are not contradict, on a subsidiary basis, by the general rules of procedures administrative.” In the opinion of this Agency, there is no contradiction between what is established in the article 67 of the LOPDGDD and article 95 of Law 39/2015. The first indicates a period of 12 months to carry out actions, the overcoming of which determines the expiration of the procedure, being the effects of that expiration those foreseen in the Law 39/2015, which is the one that regulates said institution. It cannot be deduced, how does CAIXABANK, that expiration is excluded from application to procedures sanctions governed by the LOPDGDD, nor does article 67 of the LOPDGDD provide for such consequence, nor does it emerge from the alleged jurisprudence, that by the On the contrary, it indicates precisely this effect. Consequently, this Agency cannot share CAIXABANK's interpretation that the use of expiration is carried out in fraud of law invoking a judgment of the National High Court that no reference is made to such an institution and whose criterion was, not only modified already in 2008, but surpassed by the establishment of a period to carry out preliminary actions. You also can't share the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 95/117 consideration that the non-application of the terms of the LOPDGDD of article 95 of Law 39/2015, a precept that sets as the only limit that has produced the prescription of the infraction, even allowing such limit to be exceeds in certain cases, which has not occurred in the present case. III Article 6 of the RGPD refers to the legality of data processing, providing that: "1. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the data controller; d) the treatment is necessary to protect the vital interests of the interested party or another Physical person; e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers vested in the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person in charge of the treatment or by a third party, provided that on said interests do not override the interests or fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph shall not apply to the processing carried out by public authorities in the exercise of their functions.” Article 4.11 of the RGPD defines the "consent of the interested party for the treatment of your personal data”, such as: any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a declaration or a clear affirmative action, the treatment of personal data that concern”. Article 7 of the RGPD refers to the conditions of consent establishing that: "1. When the treatment is based on the consent of the interested party, the person in charge You must be able to demonstrate that you consented to the processing of your data personal. 2. If the data subject's consent is given in the context of a written statement that also refers to other matters, the request for consent will be presented in in such a way that it is clearly distinguishable from other matters, in an intelligible and easy access and using clear and simple language. No part will be binding of the statement that constitutes an infringement of this Regulation. 3. The interested party shall have the right to withdraw their consent at any time. The Withdrawal of consent will not affect the legality of the treatment based on the consent prior to withdrawal. Before giving their consent, the interested party will be informed of it. It will be as easy to withdraw consent as it is to give it. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 96/117 4. When assessing whether the consent has been freely given, it will be taken into account in the greatest extent possible whether, among other things, the performance of a contract, including the provision of a service, is subject to consent to the processing of personal data that is not necessary for the execution of said contract”. For its part, recital (32) of the RGPD specifies that: “Consent must given through a clear affirmative act that reflects a manifestation of will free, specific, informed, and unequivocal of the interested party to accept the treatment of personal data concerning you, such as a written statement, including by electronic means, or a verbal statement. This could include marking a box on a website on the internet, choose technical parameters for use of services of the information society, or any other statement or conduct that clearly indicates in this context that the interested party accepts the proposal of treatment of your personal data. Therefore, silence, boxes already checked or inaction should not constitute consent. Consent must be given for all treatment activities carried out for the same or the same purposes. When the treatment has several purposes, consent must be given for all they. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not disturb unnecessarily the use of the service for which it is provided.” Recital (42) of the GDPR indicates that: “(...) In accordance with Directive 93/13/ Council EWC, a model declaration of consent must be provided previously prepared by the data controller with an intelligent formulation accessible and accessible, using clear and simple language, and containing no clauses. abusive bullshit. In order for the consent to be informed, the interested party must know at least the identity of the person responsible for the treatment and the purposes of the treatment to which the personal data is intended. Consent should not be considered borrow freely when the interested party does not enjoy a true or free choice or you cannot withhold or withdraw your consent without prejudice.” Recital (43) indicates that: “To ensure that consent has been given freely, this should not constitute a valid legal basis for the treatment of personal data in a specific case in which there is a clear imbalance between the interested party and the data controller, in particular when said res- responsible is a public authority and it is therefore unlikely that the consent to have been given freely in all the circumstances of that particular situation. Consent is presumed not to have been freely given when it does not allow authorization. separate the different personal data processing operations despite be appropriate in the particular case, or when the performance of a contract, including the provision of a service, is dependent on consent, even when this does not necessary for said fulfillment”. In turn, article 6 of the LOPDGDD, indicates, on the processing of personal data based on the consent of the affected party that: “1. In accordance with the established in article 4.11 of Regulation (EU) 2016/679, consent is understood affected person, any manifestation of free, specific, informed and inappropriate will. equivocal by which he accepts, either through a statement or a clear action affirmative, the treatment of personal data that concerns you. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 97/117 2. When it is intended to base the processing of the data on the consent of the affected for a plurality of purposes, it will be necessary to state specifically fica and unequivocal that said consent is granted for all of them. 3. The execution of the contract may not be subject to the affected party consenting to the treatment. processing of personal data for purposes that are not related to the maintenance maintenance, development or control of the contractual relationship.” In the present case, it is stated in the documentation in the file that the claimed entity, has marketed, through its digital platform, (www.- bankia.es), among others, three financial products: ON account; ON Payroll account and UN&DOS account, along with its associated debit cards. It also markets a credit card (ON Credit Card), which must be associated with an Account ON open. In the information sent by Bankia dated March 19, 2019, it is observed that the contracting of these products entails the collection of various commissions, such as the administration and maintenance of the account, as well as the fee for the Associated debit or credit cards, transfers in euros, national and EU subject to regulation 260/2012, carried out by non-face-to-face channel and check deposits in eu- ros payable in the domestic market. However, such commissions will be free as long as all the holders maintain what the entity calls a “profile digital". In the information sent on March 19, 2019, it is stated that “El Perfil Di- gital will be held when, among other stipulations, it is fulfilled that: - All holders have authorized Bankia, by subscribing to the Personal data processing document, equivalent document or corresponding contract, the processing of your personal data for the sending commercial communications through any communication channel enabled, including email and mobile phone. - All holders have authorized Bankia, by subscribing to the Personal data processing document, equivalent document or corresponding contract, the transfer of your personal data to companies of your group for the analysis of your profile for commercial purposes.” Such conditions were in force until 12/15/2019, when they disappeared. for new contracts for ON products, remaining for customers who already had an ON product until February 16, 2020, although the en- amount claimed indicates that they were not taken into account for the purpose of subsidizing or not missions from October 16, 2019. This Agency considers that the exemption of the co- banking missions to the provision of consent for two different treatments services: the sending of commercial communications and the transfer of personal data to the en- entities of the Bankia Group, so it cannot be considered that the consent is freely grants, while, if such treatments are not accepted or subsequently revoked consent thus obtained, there are negative consequences for the interested party who is subject, in such a case, to the payment of the commissions set by the bank entity. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 98/117 Caixabank alleges that the commissions do not constitute a levy but rather the consideration tion of the services provided by the bank, configuring itself as an element that must be incorporated into the current account contract, constituting an essential element whose purpose is the remuneration of the services provided. states that the products In any case, bank charges are associated with the payment of commissions and that the exemption from the same, contrary to what is indicated by the AEPD, constitutes a benefit for the interested party, who must not pay commissions that are consubstantial to the cele- signing of the contract. The reasoning followed by CAIXABANK cannot be shared. This Agency considers It should be noted that, indeed, the commissions can be part of the account contract paying the services provided by the banking entity, but in- tends that the link of the exemption of its collection to the provision of consent for other processing of personal data different from those of the contract determined mine that consent is not given in conditions of freedom. In this regard, in the guidelines on consent in the GDPR, approved given by the Working Group of article 29, adopted, at the meeting of May 25 of 2018, by the European Committee for Data Protection, a body to which the RGPD attributes the function of guaranteeing the coherent application of the same, is exposed, in the point to 3.1 what you consider a manifestation of free will: “The term 'free' implies real choice and control on the part of those concerned. What general rule, the RGPD establishes that, if the subject is not really free to choose, you feel compelled to give your consent or you will suffer negative consequences if you do not given, then the consent cannot be considered valid. If consent is- is included as a non-negotiable part of the general conditions it is assumed that it has not been freely given. Consequently, the consent will not be considered has been provided freely if the interested party cannot deny or withdraw their consent notwithstanding. The notion of imbalance between the person responsible for the treatment and the Resado is also taken into account in the GDPR. When assessing whether consent has been freely given, they should be considered also the specific situations in which consent is made conditional on execution. tion of contracts or the provision of a service as described in the article 7, paragraph 4. Article 7, paragraph 4, has been drafted in a non-exhaustive manner by the use of the expression "among other things", which means that there may be other circumstances that fall within the scope of this provision. In ther- Generally speaking, consent will be invalidated by any influence or bias inappropriate pressure exerted on the data subject (which can manifest itself in very different) that prevents him from exercising his free will. (The underlining is from the AEPD). Likewise, in point 3.1.1. the same document refers to the imbalance of power, noting “Power imbalances are not limited to public authorities. cases and employers, but can also occur in other situations. As WG29 has underlined in various opinions, consent can only be valid if the interested party can really choose and there is no risk of deception, intimidation, duress, coercion, or significant negative consequences (for example, additional costs) substantial losses) if you do not consent. Consent will not be free in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 99/117 those cases in which there is an element of compulsion, pressure or inability to exercise free will. (The underlining is from the AEPD) This element of compulsion or pressure is determined, in the opinion of the AEPD, by the collection of these commissions established in such a way that they suppose a cost of sufficient entity so as to determine the clients of such accounts to accept the consent ment for the processing of data for purposes other than those of the contract. No it can thus be considered that consent is given freely at the time of enter into the contract and is freely modified at any time, as alleged by CAI- XABANK, since the non-provision of that consent for other purposes or its re- vocation determine the collection of commissions imposed by the bank, which which supposes, contrary to what CAIXABANK affirms, a clear damage to the in- tersated. In this sense, the working group points out in said guidelines regarding the damage “The data controller must demonstrate that it is possible to deny or withdraw consent. sentiment without suffering any prejudice (recital 42). For example, the person in charge of the treatment must demonstrate that the withdrawal of consent will not entail any some cost for the interested party and, therefore, no clear disadvantage for those who withdraw give consent.” (the underlining is from the AEPD) The working group continues by pointing out that “Other examples of harm are deception, harm, intimidation, coercion, or significant negative consequences if a data subject you do not give your consent. The data controller must be able to demonstrate that the interested party was able to exercise a free or real choice when giving his or her consent. and that it was possible for him to withdraw it without suffering any harm” (emphasis added). AEPD). CAIXABANK affirms that the EDPB in example 6 of said guidelines refers to what constitutes a loss, considering that it is the increase in commissions not their collection. This example indicates the following: “A bank asks its customers for consent so that third parties can use your payment details for direct marketing purposes. This processing activity It is not necessary for the execution of the contract with the client and the provision of services. habitual vices of the bank account. If the client's refusal to give consent refusal to such treatment would give rise to the bank's refusal to lend its services, to the closing of the bank account or, depending on the case, to an increase in commissions, consent could not be given freely.” This Agency understands that, regardless of the fact that the EDPB mentions only some examples of what constitutes a detriment, without pretending to contemplate all possible assumptions, the reference to the "increase in commissions" cannot intervene be interpreted in the literal sense that CAIXABANK expresses in its allegations. When the EDPB refers to an “increase in commissions” it is evident that it takes As a starting point, the assumption in which there are established commissions that are charged in any case, hence, if the refusal to give consent gives rise to for these to increase, consider that consent is not given freely, in Therefore, this increase supposes a loss for the interested party. That is, the consent is not free because its provision is conditioned to avoid a charge that was not provided C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 100/117 driving. And this example is equivalent to the one that occurs in the case object of the pre- this procedure, in which the exemption from the collection of commissions is linked to the provision of consent, so that the interested party does not provide said consent. thought freely, but conditioned by that circumstance. Therefore, this Agency understands that when consent is not given or its revocation implies a collection of commissions that would not occur under the provision of such consent for further processing, such consent is not free since said collection supposes a clear damage for the interested party. On the other hand, in no case can it be considered that the exemption from commissions constitutes a benefit for the interested party, on the contrary said exemption has as compensation the limitation of their fundamental right to data protection, limiting that can only be admissible when its acceptance is not conditional. tioned Said limitation in the present case implies the reception of communications of all the sectors referred to in the TDP, that is, financial sectors. insurance (banking, investment and insurance), real estate, cultural, travel, consumption and leisure and the transfer of your data not only to the companies of the group, but also to the collaborators, since the TDP does not establish that difference in the acceptance of the contract feeling. On the other hand, it is unknown at the time of signing the contract who are such collaborating entities, and the individual must go to the web page of the entity ability to know at all times to whom your data has been transferred. CAIXABANK alleges that the argumentation of this Agency fails, while the commissions These are consubstantial elements of the bank account contract and it is not possible consider that the contract may exist free of charge or without consideration by the te of the entity's client. This Agency does not share the reasoning of CAIXABANK, the Royal Decree-Law 19/2017, of November 24, of basic payment accounts, transfer of accounts of payment and comparability of commissions, establishes in its article 9.1 that "the commissions received for the services provided by credit institutions in relation to The basic payment accounts will be those that are freely agreed between said entities. des and clients”, in this way, this Agency understands that it can be agreed with the clients the exemption of its collection and that, if said exemption is linked to the provision of the Consent for processing of personal data other than those of the consent. treatment, said consent is not given in conditions of freedom. CAIXABANK also alleges that this Agency elevates to the category of source of the right the content of the documents and guidelines of the EDPB considering that their trans- aggression is a direct violation of the GDPR. In this regard, it is worth remembering that the EDPB is responsible under the RGPD for guarantee the consistent application of the same (art. 70.1 RGPD), issuing, with respect to any question relating to the application of the Regulations, guidelines, recommendations tions and good practices in order to promote the consistent application of the same (art.70.1.e), so the application of said rule by this Agency cannot if not to adjust to the consolidated criteria that are expressed in such opinions. On In this sense, declares the Supreme Court in Judgment 1,176/2020, of September 17. December 2020) “The Working Group contemplated in article 29 of the Directive C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 101/117 95/46/EC, which has been succeeded by the so-called European Data Protection Committee (CEDP), which dictates Directives 5/2019, is an independent consultative body whose function in accordance with the provisions of article 30.3 of Directive 95/46 CE is to address address issues related to privacy and personal data and issue guidelines ces about such as the one considered in the judgment of the National High Court, which consists in a guide for the implementation of the Judgment of the Costeja case C-131/12. The The guidelines lack binding normative value, but they do include the analysis of the ex- experts from the perspective of the protection of personal data of the criteria of weighting collected in the Judgment of the CJEU of May 13, 2014 Coste- ha, and with this indicative value they can be used by national authorities competent to resolve issues related to the protection of personal data. sound.” (the underlining is from the AEPD). CAIXABANK also alleges that the AEPD makes a new interpretation of the cri- EDPB, since in case of not being consistent with the theses that it intends to maintain, having the AEPD can only be due to two reasons: (i) their desire not to be exhaustive you, CAIXABANK understanding that the example seems to refer to all sub- positions in which it could be considered that there would be an affectation of the principle of freedom of the consent in a case such as the one analyzed, or (ii) understanding that the opinion interpretation must in turn be interpreted in the sense that the AEPD considers appropriate. assignor defend. It points out that the AEPD limits itself to considering that “[w]hen the EDPB refers to an "increase in commissions" it is evident that he takes as a point of departure the assumption in which there are some established commissions that are charged in any case” and that in relation to such a statement, that in a case in which the EDPB manifests itself with crystal clarity, it is not possible for the AEPD to broaden the interpretation assumption to the one that he considers adjusted to his thesis, no matter how evident it may be. attempt to consider this fact. If the AEPD considers that it is “obvious” the interpretation it intends to carry out, it should justify what it is based on to appreciate that su- put evidence. This Agency cannot admit such allegations, the very fact that it is An example shows that it cannot be exhaustive. On the other hand, it is not conceivable that a literal interpretation of an example can justify a limitation. tion of the right to data protection, based on the fact that it does not contemplate precisely the specific assumption that gives rise to said limitation, as occurs in the present procedure. In effect, CAIXABANK intends to justify that its actions is not contrary to the provisions of the RGPD, based on an example of the EDPB that is refers as a limitation of the principle of freedom of consent the increase in commissions, understanding that to the extent that it only refers to the "increase" there is no other situation that can fit the mentioned example. Respec- to the fact that the evidence is not justified in the affirmation of this Agency when it points out which “when the EDPB refers to an “increase in commissions” it is evident that takes as its starting point the assumption that there are established commissions that are charged in any case” this Agency considers that it is not necessary to justify a evidence, it is obvious that there can be no increase in commissions if they are not They are established and are being charged. CAIXABANK also alleges in support of its argument, the criterion adopted by another data protection authority, in a different case from the one that is the object of examination, in which he seems to hold an opinion contrary to that of this Agency, which C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 102/117 considers that it should be taken into consideration on the basis that the purpose of the RGPD is to establish a uniform framework in the application of rules and principles pio configurators of the fundamental right to data protection, This Agency does not consider that such a resolution should be taken into account for the sake of uniform application form of the rules of the RGPD, the work of guaranteeing the consistent application of the RGPD corresponds to the EDPB and that what is sustained in the alleged resolution is about a criterion adopted in isolation by another data protection authority, in a sub- different position and without the EDPB having supported such a criterion. CAIXABANK also alleges that there is no violation of article 7.4 of the RGPD, while there is no conditionality as described in said article. article since the provision of consent is not a sine qua non condition for the signing of the contract, the client being able to contract the services without the need for consent, these being the same regardless of the provision or not of the ci- given consent. It considers that it offers an equivalent service both to those who have provided the consent protection for the processing of your data as part of the so-called "digital profile" and to those who have not provided it, since the services offered are exactly the same and also the elements that will integrate the contracts in which they are formed. malize the services including commissions, even if the user holds the so-called digital profile, said commissions will be discounted in its entire amount as long as the digital profile is maintained. He affirms that if the AEPD considers that they are two different products for the sole fact that it is offered with and without bonus, it would empty of content any offer or promotion that could apply a private entity. Nor does this Agency share CAIXABANK's interpretation of what is indicated. side by the EDPB in the aforementioned guidelines on consent, in which this states that “The data controller could argue that his organization offers stakeholders a real choice if they could choose between a service that includes consent to the use of personal data for additional purposes, and an equivalent service offered by the same person in charge that does not imply providing the consent to the use of data for additional purposes. As long as there is a possibility that said person in charge of the treatment executes the contract or provides the services vices contracted without the consent for the other use or the additional use of the data in question, it will mean that there is no longer any conditionality with respect to the service. No However, both services must be really equivalent.” Contrary to what is alleged by CAIXABANK, this Agency understands that said affirmation mation of the EDPB precisely reflects a situation in which there is no conditionality any quality in the provision of consent, which does not occur in the present su- since an element of the current account contract, commissions, is used to condition the provision of consent for other uses of the data, therefore that the services cannot be considered as equivalent. CAIXABANK also alleges that the services covered by this file are not the only ones that make up its catalog of products and services, mentioning others such as the Easy Account, the Youth Account or the Basic Payment account. However, not certifies that it is an equivalent service. It cannot be admitted that any account C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 103/117 current is an equivalent service if the conditions in which it is provided are different or are directed to a certain group, so that it is excluded that others can they hire him. CAIXABANK in the allegations to the proposed resolution refers to the “EASY ACCOUNT”, affirming that its clients can choose to contract another product of identical nature also exempt from the payment of commissions. This Agency does not consider It would seem that said product could be considered equivalent, since the conditions in which it is provided are different, requiring economic conditions that are not were required at the opening of the ON account (existence of a payroll equal to or greater than greater than 700 euros or unemployment benefit or pension equal to or greater than 200 euros and meet one of the following conditions: • Make two purchases a month with a credit card • Contribution of 135 euros in risk insurance premiums. • Possession of more than 30,000 euros in investment funds, pension plans or se- savings insurance (this requirement was also fulfilled in the case of holding 40,000 euros in investment products of the entity, being excluded from this requirement persons under the age of 26). CAIXABANK mentions what is stated in the European Legislation Manual on of data protection, adopted by the Agency for Fundamental Rights of the European Union and the Council of Europe, in collaboration with the European Court of Human Rights and the European Data Protection Supervisor, in relation to the free nature of consent, which states that: This does not mean, however, that consent can never be valid in circumstance. circumstances in which the lack of consent had some negative consequences you go. For example, if the consequence of not consenting to have a card- customer from a supermarket is only that small discounts will not be received. stories in the prices of some products, consent could be a basis legal valid to treat the personal data of those clients who grant their consent to have said card. There is no subordination between the company and the client, and the consequences of the lack of consent are not sufficient serious enough to limit the freedom of choice of the interested party (provided that the reduction price difference is small enough not to affect that freedom of choice)" CAIXABANK alleges, citing said example, that the Agency's reasoning leads us to consider that the establishment of a discount to those who would have accepted its inclusion in a loyalty program of any company with the consent following acceptance of the processing of your data would be null, since it is not established the possibility of enjoying the same discount in case of not choosing to adhere to the fidelazation program. This Agency cannot share such an allegation either, we are not faced with a loyalty program as in the example indicated, but in the event that, as indicated in the 5/2020 Guidelines on consent, they are merged or blurred the two legal bases for the lawful processing of personal data, the consent and the contract, thus breaching article 7.4, which guarantees that the treatment of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 104/117 the data for which consent has been requested does not become a consideration of the contract. CAIXABANK alleges that the EDPB does not consider it inadmissible or contrary to freedom in the provision of consent the granting of an incentive or benefit, having Note that the guidelines state that “the GDPR does not exclude incentives, but co- It would be up to the data controller to demonstrate that the consent has been continued to give freely in any circumstance.” This Agency, as it has come pointing out repeatedly, understands that the fact that the exemption from payment of the commissions is conditional on the provision of consent for purposes other than those of the contract determines that it cannot be considered that the consent lie has been given freely. Lastly, the allegation that this Agency, considering that the consent given has been subject to coercion in the free will of the in- interested parties, is considered competent to assess the nullity of a contract in which incentives or benefits are established. This Agency does not assess the validity of the contract, but that of consent to carry out other treatments different from their own of the contract and that is conditioned by the exemption from the collection of commissions, which In the opinion of this Agency, it is contrary to the provisions of article 7.4 of the RGPD. CAIXABANK affirms that the reasoning of the AEPD not only affects the freedom of consent to the processing of personal data but states that such consent sentiment as an essential element of the current account contract is affected as a consequence of exempting from the payment of commissions those who provide the feeling for the digital profile, which not only affects the application of the regulations of personal data but to the legality of the contract itself, given that if the consent to contract the financial product is null because there is a kind of coercion, there would be an invalidating defect of the contract itself, as the contracted consent is affected. tual. In this regard, it is only possible for this Agency to reiterate what was stated above. Subsequently, this Agency is limited to the exercise of its powers, among which are finds the assessment that the consent given to carry out treatment Data transfers other than those of the contract between the parties violates article 7.4 of the RGPD, being the consequences indicated by CAIXABANK unrelated to its actions. tion, without this Agency being competent to rule on them. Consequently, in accordance with the findings set forth, the aforementioned chos suppose a violation of article 6 of the RGPD, in relation to article 7 of the same legal text, which gives rise to the application of the corrective powers that the ar- Article 58 of the RGPD grants the Spanish Data Protection Agency. IV The record shows that during the period between July 8 and 15 August 2018, affecting ON account customers contracted through the online channel. ne, the consents were pre-marked in the acceptance state (con- sorry) for new customers. That is, when a new client was registered through the online channel, the consents were pre-marked during the pro- C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 105/117 registration process, not occurring in office registrations. The number of customers who passed the registration process in the period between 07/08/2018 and 08/15/2018 (pro- ducts ON through the online channel), there are a total of 2,562 (of which 2,192 are still active and 270 have been cancelled). It is known that with respect to the 812 clients who have not modified their consents nor have they left the entity, they have been carried out carry out commercial actions through email or SMS. These actions are have developed in the period between August 2018 (registration date) and April 2020. The requirement that “consent must be given through a clear affirmative act that reflects a manifestation of free, specific, independent will. formed, and unequivocal of the interested party to accept the treatment of data of a character that concern him", it being understood that "silence, the boxes already checked or inaction should not constitute consent” (Recital 32). The absence of such a requirement determines that it is not valid so that the treatments based on it lack legitimacy, thus contravening the provisions of Article 6 of the GDPR. In this sense, they point out Guidelines 5/2020 on consent in the sense of Regulation (EU) 2016/679, regarding the unequivocal expression of will: “The GDPR clearly establishes that consent requires a declaration of the in- concerned or a clear affirmative action, which means that consent must always be given. feeling through an action or statement. It should be evident that the interest sado has given its consent to a specific data processing operation. (…) A controller should also bear in mind that consent cannot be obtained by the same action by which the user agrees to a treatment or accept the general terms and conditions of a service. The global acceptance bal of the general terms and conditions cannot be considered a clear action affirmative intended to give consent to the use of personal data. The GDPR does not allows data controllers to offer pre-ticked boxes or voluntary exclusion mechanisms that require the intervention of the interested party to avoid settlement (e.g. “opt-out boxes”)” CAIXABANK alleges that the imposition of the sanction for such acts is inadmissible. chos by application of the non bis in idem principle. Considers that the AEPD would be sanctioned Doubly mentioning the lack of legal basis for the processing of personal data. them of the customers who had contracted the controversial products through the channel online on the dates between July 8 and August 15, given that by one party affirms that the consent granted is not valid because it is not free and, secondly, secondly, that said consent is not valid because the pre-selected boxes are found. marked. It affirms that if the reasoning of the AEPD is followed, none of the consents provided (whether or not the box was pre-checked) would be valid, so imposing an additional sanction for the fact that in such an extremely small number of assumptions said box is pre-marked is nothing but a contravention of the principle pio non bis idem. And this should immediately entail the subsumption of this subsumption. infringement in the collection by the AEPD in the first place. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 106/117 It is worth mentioning here the Judgment of the National High Court of July 23, 2021 (rec. 1/2017), in which it concludes that the non bis in idem principle has not been violated because there is no coincidence in the imputed facts. Said Judgment states that “(…) According to the legislation and jurisprudence exposed, the non bis in idem principle prevents punishing the same subject twice for the same act based on the same as a foundation, the latter being understood as the same legal interest protected by the sanctioning rules in question. Indeed, when there is the triple identity of object, fact and basis, the sum of sanctions creates a sanction outside the judgment of proportionality carried out by the legislator and materializes the imposition of a sanction not legally provided for, which also violates the principle of proportionality. But in order to speak of "bis in idem" there must be a triple identity between between the terms compared: objective (same facts), subjective (against the same subjects) and causal (for the same reason or reason to punish): a) Subjective identity assumes that the affected subject must be the same, whatever whatever the nature or judicial or administrative authority that prosecutes and independently evidence of who is the accuser or specific body that has resolved, or that is prosecuted cie alone or in concurrence with other affected. b) The factual identity supposes that the prosecuted facts are the same, and rules out the assumptions of real contest of infractions in which it is not before the same he- cho unlawful but before several. c) The identity of the basis or cause implies that the sanctioning measures do not can concur if they respond to the same nature, that is, if they participate in a same teleological foundation, what happens between penal and administrative sanctions, but not between the punitive and the merely coercive.” Based on these criteria, this Agency considers that in this procedure This principle is not violated, since it does not penalize twice the same acts, but that we are faced with different facts. In effect, in the previous point the fact that the entity claimed was examined was asked its clients for their consent for certain treatments, failing to comply the requirements of article 7, which determined its invalidity. In the present it is done reference to data processing carried out with respect to a group of clients that when contracting said account in a certain period of time, the period between on July 8 and August 15, the pre-ticked boxes were found, so that they did not unequivocally give their consent. therefore cannot be subsumed said infraction in the one indicated in the previous point, since we are not before the infringement of the provisions of article 7 in relation to 6 of the RGPD, but in the absence of any consent and, consequently, in the absence of a basis legitimizing for the treatment, thus infringing article 6 of said norm. This difference in conduct is clearly expressed in the LOPDGDD by pointing out, for the purposes of prescription, in its article 72, relative to the infractions considered very serious, the following: 1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 107/117 a substantial violation of the articles mentioned therein and, in particular, the following: (…) b) The processing of personal data without the concurrence of any of the license conditions treatment established in article 6 of Regulation (EU) 2016/679. (…) c) Failure to comply with the requirements of Article 7 of the Regulation (EU) 2016/679 for the validity of consent.” Consequently, in accordance with the exposed evidence, the aforementioned facts suppose a violation of article 6 of the RGPD, which gives rise to the application of the corrective powers that article 58 of the aforementioned Regulation grants to the Agencia Es- Data Protection panel. v In the event that there is an infringement of the provisions of the RGPD, between the corrective powers available to the Spanish Data Protection Agency, as a control authority, article 58.2 of said Regulation contemplates the following: “2 Each supervisory authority shall have all of the following corrective powers listed below: (…) b) send a warning to any person responsible or in charge of the treatment when the treatment operations have violated the provisions of this Regulation. (correction of errors in Regulation (EU) 2016/679, DOUE number 74, of 4 March 2021) (...) d) order the person in charge or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period; (…) i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular;" According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d) above is compatible with the sanction consisting of an administrative fine. SAW In this case, non-compliance with article 7 has been proven. in relation to article 6 of the RGPD and article 6 of the same regulation, with the scope expressed in the previous Foundations of Law, which implies the commission of the offenses typified in article 83.5 of the RGPD, which under the heading "General conditions for the imposition of administrative fines" provides the next: 5. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 108/117 in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the largest amount: a) The basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; In this regard, the LOPDGDD, in its article 71 establishes that "They constitute infractions the acts and behaviors referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law”. For the purposes of the limitation period, article 72 of the LOPDGDD indicates: “Article 72. Infractions considered very serious. 1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679. (…) c) Failure to comply with the requirements of Article 7 of the Regulation (EU) 2016/679 for the validity of consent.” In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate: "1. Each control authority will guarantee that the imposition of fines administrative actions under this article for violations of this Regulation indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 109/117 infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD has: "1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of treatment of personal information. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection delegate. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party.” In this case, considering the seriousness of the infractions found, it is appropriate the imposition of a fine without being able to accept the request made by CAIXABANK to impose other corrective powers that would have allowed the correction of the irregular situation, such as the warning, provides in this sense the recital 148 of the RGPD "In order to reinforce the application of the rules of the this Regulation, any infraction of this must be punished with sanctions, including administrative fines, in addition to appropriate measures imposed by the supervisory authority by virtue of this Regulation, or in replacement of these. In the case of a minor offence, or if the fine that is likely to be imposed would constitute a disproportionate burden on a natural person, rather than sanction by means of a fine, a warning may be imposed. must however Special attention should be paid to the nature, seriousness and duration of the infringement, its intentional nature, to the measures taken to alleviate the damages suffered, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 110/117 the degree of liability or any relevant prior violation, the manner in which that the control authority has been aware of the infraction, compliance of measures ordered against the person responsible or in charge, adherence to codes of conduct and any other aggravating or mitigating circumstance. The imposition of sanctions, including administrative fines, must be subject to guarantees sufficient procedural requirements in accordance with the general principles of Union Law and of the Charter, including the right to effective judicial protection and to a process with all guarantees.” CAIXABANK alleges that it is appropriate with respect to the second of the infractions the imposition of the warning measure established in article 58.2 RGPD, taking into consideration what was stated by the Article 29 Working Group in its document WP253 of “Guidelines on the application and fixing of fines for the purposes of Regulation 2016/679”, when noting that: “In the Recital 148 introduces the notion of "minor infringements". Said violations may constitute violations of one or several provisions of the Regulation cited in Article 83, paragraphs 4 or 5. However, the evaluation of the criteria provided for in Article 83, paragraph 2, may lead the supervisory authority to consider, for example, that in the specific circumstances of the case the violation does not entail a significant risk to the rights of data subjects and does not affect the essence of the obligation in question. In such cases, the fine may be substituted (although not always) for a warning”. It alleges that the assumption has only affected 812 of a total of 1,200,000 customers, without there being any type of claim on your part and without said affected parties have maintained, from the time the incident occurred, any type of relationship with CAIXABANK, as they are inactive clients with respect to whom, In addition, said entity considered that consent was not given, refraining from proceed to the processing of your personal data, and all this after having taken extremely diligent measures aimed at achieving contact with the aforementioned clients. In the opinion of this Agency there are no circumstances that may allow it imposition of a warning regarding said infraction, since it is breached here one of the essential obligations, the existence of legitimacy, so that the data processing is in accordance with the provisions of its regulatory regulations and such Non-compliance fully violates the rights of the interested parties. The circumstances alleged by CAIXABANK cannot be considered because nothing alter the fact that the consent of the interested parties has not been requested, but the fact is that this Agency cannot accept what is alleged by CAIXABANK either: the number of clients was not 812, but 2,562, of which 812 have not changed the consents nor have they subsequently caused cancellation in said entity; CAIXABANK has not refrained from processing personal data of these 812 clients as stated, since regarding them have been carried out commercial actions through email or SMS, such as is accredited in the proven facts, being aware that he lacked consent to process your data, carrying out such actions in the period between August 2018 (registration date) and April 2020 Nor can appreciate that it has acted with diligence when the events occurred in 2018 and it was not until May 2020 that actions aimed at C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 111/117 Obtain the consent of the clients. In accordance with the precepts transcribed, in order to set the amount of the sanctions of a fine to be imposed in this case on the defendant, as responsible for the infractions typified in article 83.5.a) of the RGPD, it is appropriate to graduate the fine that should be imposed for the infraction imputed by each of the offenses charged as follows: 1. Violation due to non-compliance with the provisions of article 6 in relation to the article 7 of the RGPD, typified in article 83.5.a) and classified as very serious to effects of prescription in article 72.1.c) of the LOPDGDD: It is estimated that the following factors concur as aggravating factors: reveal greater unlawfulness and/or culpability in CAIXABANK's conduct: a) The circumstance described in article 83.2.a) RGPD, which values the nature, severity and duration of the offence. This is not infringing conduct. isolated. It is about the design of a financial product with the purpose of condition the clients of the entity that contract the same, through the exemption from the collection of contract commissions, to give their consent for purposes other than those of said contract. It also takes into account the high number of stakeholders affected: the number of customers as of May 31 of 2019 that the ON Nomina, UN&DOS and ON accounts had contracted was 1,197,000, of which they had given their consent to receive of advertising 965,972 and for the transfer of your data to group companies 952,677 customers. It also carries out the treatment of a large volume of Data of the interested parties who consent to the profiling being carried out with the data that is qualified in the TDP as personal and includes data relating to customer identification, contact information, marital status, number of children, date and province of birth, nationality and professional data; with the data obtained from the contracted products and with those obtained from from the operations, movements or transactions associated with their products. Caixabank alleges that if the offending conduct is considered to consist of the alleged conditioning of the consent of its clients for the processing of your personal data as an exemption from the payment of commissions, insofar as said conduct integrates the type of infraction can hardly be considered a circumstance that aggravates the responsibility. However, this Agency understands that what is taken into account here is not the offending type, even if it is mentioned in the presentation of the argument. I know considers as aggravating the fact that it is not an isolated conduct, but it is the result of a commercial policy of said entity that affects a large number of stakeholders. It alleges that the Motion for a Resolution states that "there is In addition, the treatment of a large volume of data of the interested parties that consent that the profiling is carried out with the data that is qualified in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 112/117 TDP as personal and include data related to customer identification, their contact information, marital status, number of children, date and province of birth, nationality and professional data; with the data obtained from the products contracted and with those obtained from the operations, movements or transactions associated with their products”. Notes that, As indicated in the proven facts, the profile referred to in the Resolution Proposal would have a character prior to the transfer of the data personal data of customers who have given their consent to do so the companies of the Group or collaborators of CAIXABANK. However, the The Proposal itself includes as a proven fact that the aforementioned transfer did not have place in any case, when indicating that “[a]lthough the consent to customers, BANKIA has not transferred their personal data or to companies of the group or other collaborating entities based on these general consents of the TDP nor is there any provision for it” In this Likewise, a circumstance that has not occurred cannot be applied as an aggravating circumstance. according to the factual account of the motion for a resolution. This Agency cannot share such an argument, we can only remind this respect that the exemption of commissions is linked to the provision of the consent for two different treatments: the transfer of data to the companies of the Group or collaborating entities of CAIXABANK and the sending of commercial communications. Regarding this second treatment, it is clear that in the TDP document that consent is requested for the sending of “personalized commercial communications through any channel (paper, electronic, telematic, digital media, etc.) on products, services, promotions or discounts in the financial sectors (banking, investment and insurance), real estate, cultural, travel, consumption and leisure based on your profile, prepared from your personal data, the products you have contracted, as well as from the operations, movements or transactions associated with their products. (the underlining is from the AEPD). b) The circumstance described in article 83.2.b) RGPD that values “the intentionality or negligence in the commission of the infraction”, It is a intentional conduct in relation to the violation of the rules of protection of personal data, being aware the claimed entity that the exemption of the payment of commissions would have the result that the majority of the clients of said accounts consent to the data processing of advertising and transfer of data to group companies. He alleges that it is not possible for the AEPD to assess as an aggravating circumstance what is nothing but a mere business strategy and that raises to the degree of aggravating circumstance what CAIXABANK could or could not consider in the time of launching the product, taking this conjecture as proven. In the opinion of this Agency, being a business strategy proves said intention. On the other hand, this behavior was maintained over time. Therefore, during the period in which the exemption from the collection of commissions to the provision of consent for the purposes of shipments advertising and assignment to other entities of the group and collaborators, CAIXABANK was able to assess the result of said strategy, deciding to maintain it until 16 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 113/117 October 2019, so the entity was fully aware that the Most clients consented to such treatments to achieve fee waiver. This is also shown by the responses to the transfers to the CAIXABANK Data Protection Delegate of the claims made before this Agency. c) The circumstance described in article 83.2.k) RGPD, any other factor applicable to the circumstances of the case: The condition of large company of the responsible entity and its turnover. For these purposes, it is Note that Bankia's net margin before provisions in the year 2019 financial year was 1,428 million euros. CAIXABANK alleges that it has found neither in the GDPR regime nor in the of the LOPDGDD no rule that considers this circumstance as aggravating circumstance of an offence. Consider that it is included completely arbitrary to the catalog established in the current regulations, with the consequent breach of the principle of legality. Such an allegation cannot be shared, article 83.1 of the RGPD provides that "Each control authority will guarantee that the imposition of administrative fines under this Article for infringements of this Regulation indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.” Number 2 of said article establishes that decide the imposition of an administrative fine and its amount in each case will be duly taken into account: (...) k) any other factor aggravating or mitigating circumstance applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” For these purposes, as an aggravating factor, it is worth taking into account the of the entity as a large company which is linked between other aspects to your billing volume, to the extent that you have greater means to comply with the obligations imposed by the GDPR. d) The circumstance described in article 76.2.a) LOPDGDD: the character continuation of the offence. CAIXABANK alleges that aside from the fact that, as indicated in the aforementioned sentence, the circumstance of continued infringement, which is established in the Article 76.2 a) of the LOPDGDD cannot be assimilated to that of infraction permanent, a similarity that, on the contrary, the AEPD does appreciate, it is necessary to taking into account that it is not stated as proven in the Proposal that the treatment without consent) has taken place, stating that in no case was there effectively the transfer of data with respect to which the request was made consent of the interested party. In the opinion of this Agency, it should be remembered here that there are two purposes for which the consent of the entity's clients was requested, linked to the exemption of commissions, on the one hand the transfer of data to other entities C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 114/117 of the group or collaborating entities and, on the other, the sending of communications commercial, being accredited in the file that they were carried out advertising campaigns via SMS or email from 2018 to 2020. e) The circumstance described in article 76.2.b) LOPDGDD: High connection of the offender's activity with the performance of data processing personal. The operations that constitute the business activity of the claimed entity involve personal data processing operations. f) The circumstance described in article 76.2.c) LOPDGDD: The benefits obtained as a result of committing the offence. It is held in account that among its commercial activities is the sending of commercial communications to its clients in the following sectors: financial (banking, investment and insurance), real estate, cultural, travel, consumption and leisure. CAIXABANK states that it does not understand why it is considered that the carrying out the aforementioned communications constitutes its activity when it is notice that it is a bank. Considers that at most it could imply the existence of a link between their activity and the performance of data processing, but in no case does it imply obtaining a supposed benefit for the same and that it is not accredited said benefit. It should be remembered here that the exemption from the collection of commissions is linked to the consent to carry out two different data treatments: the sending of advertising of the sectors mentioned in the TDP document and the transfer of your data to the group companies and collaborating entities. in what Regarding the advertising activities for which the consent, these may relate, on the one hand, to other products of the entity itself, seeking its contracting by its clients with the consequent economic benefit. On the other hand, it may be the realization of publicity for third parties that in the present case includes a wide variety of sectors, also obtaining an economic benefit of such activity based on commercial agreements with other entities to those who are going to carry out said advertising activities. like repeatedly has been pointed out, it is clear from the proven facts that they were carried out advertising campaigns via SMS or email from 2018 to 2020 that affected even customers who had not been requested to consent because the boxes are pre-ticked. It is estimated that the circumstance described in the Article 76.2.e) of the LOPDGDD: The existence of a merger process by absorption after the commission of the offence, which cannot be attributed to the entity absorbent. This Agency understands that CAIXABANK's request that it be consider as extenuating circumstances those provided for in letters c) and f) of article 83.2 of the RGPD, alleging that the conditions for the exemption of the commissions do not were taken into account from October 16, 2019, before said entity C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 115/117 was aware of the existence of inspection actions directed against the itself, having also provided all its collaboration in the investigation of the facts and in the minimization of damages. Article 83.2 in its letters c and f provides the following: “Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: (…) c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; (…) f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement;” In the opinion of this Agency, the cessation of the infringing action is not framed in neither of the two mitigating factors, nor is collaboration in the investigation of the facts that results in an obligatory action by the entity object of inspection (article 52 of the LOPDGDD). Considering the exposed factors, the initial valuation that reaches the fine for the imputed infringement is 2,000,000 euros. 2. Infraction due to non-compliance with the provisions of article 6 of the RGPD, typified in article 83.5.a) and classified as very serious for the purposes of prescription in the Article 72.1.b) of the LOPDGDD: It is estimated that they concur as aggravating factors, in addition to the factors exposed in relation to the previous infraction indicated in letters c), d), e) and f), the following factors that reveal greater unlawfulness and/or culpability in the CAIXABANK conduct: a) The circumstance described in article 83.2.a) RGPD, which values the nature, severity and duration of the offence. The nature, gravity and duration of the infraction. This is not an isolated incident, but rather affects to the consent collection procedure for a period of time, during which the consents appeared pre-marked for those customers who contracted online. b) The circumstance described in article 83.2.b) RGPD that values “the intentionality or negligence in the commission of the infraction”, The defect that constitutes the infraction, this is the existence of consents pre-marked, given its evidence it should have been warned and avoided by a entity of the characteristics of the claimed entity. CAIXABANK points out that regarding the aggravating circumstances indicated in letters c, d, e and f) of the previous section reproduces the allegations made to them in said C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 116/117 sections. This Agency believes that the considerations of this Agency in relation to such allegations are fully applicable at this point. CAIXABANK alleges, for purposes of determining liability for said events, which resolved the incident that occurred in its systems on August 15, when There was no complaint or claim directed against said entity. immediately how many actions were necessary to ensure that the consents given were with absolute freedom and without conditioning some, finally deciding to consider these denied. This Agency cannot admit that it acted diligently every time that the events occurred in 2018 and it was not until May 2020 that they began actions aimed at obtaining the consent of the clients and that, during said period, said entity being aware that it lacked the consent of those affected, carried out commercial actions with respect to those clients. It is estimated that the circumstance described in the Article 76.2.e) of the LOPDGDD: The existence of a merger process by absorption after the commission of the offence, which cannot be attributed to the entity absorbent. Considering the exposed factors, the initial valuation that reaches the fine for the infringement charged is 100,000 euros. Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE the entity CAIXABANK S.A., with CIF A08663619, for a infringement of article 6 in relation to 7.4 of the RGPD, typified in article 83.5.a of the RGPD, a fine of 2,000,000 euros (two million euros), in relation to Obtaining consent for purposes other than those of the contract conditioning its obtaining to the exemption of banking commissions, as indicated in this resolution. SECOND: IMPOSE the entity CAIXABANK S.A., with CIF A08663619, for a infringement of article 6.1 of the RGPD, typified in article 83.5.a of the RGPD, with a fine of 100,000 euros (one hundred thousand euros), in relation to obtaining consent through pre-marked boxes, as indicated in this resolution. THIRD PARTIES: NOTIFY this resolution to CAIXABANK S.A. FOURTH: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 117/117 of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 76.4 of the LOPDGDD and given that the amount of the sanction imposed is greater than one million euros, it will be subject to publication in the Official State Gazette of the information that identifies the offender, the offense committed and the amount of the penalty. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. 938-190122 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es