AEPD (Spain) - EXP202202567: Difference between revisions

AEPD - EXP202202567
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 6(1) GDPR Article 28 GDPR
Type:	Complaint
Outcome:	Upheld
Started:	14.01.2022
Decided:	04.02.2025
Published:	05.02.2025
Fine:	n/a
Parties:	n/a
National Case Number/Name:	EXP202202567
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	ao

The DPA fined an insurance company €300,000 for instructing its processor to unlawfully access customer's driving penalty points in order to then offer discounts for customers with a low penalty point balance.

English Summary

Facts

On the 14 January 2022 the data subject lodged a complaint with the Spanish DPA (Agencia Española de Protección de Datos – AEPD) against the controller, Línea Directa Aseguradora, an insurance company.

After the data subject had entered into a contract with the controller for a car insurance policy, he received a call from the controller's processor, another company named Majorel, in which it asked the data subject to disclose their driver's license date of issue as well as their ID number. The processor claimed that the data subject's consent to the use of this information in order to access their driver's license penalty points balance with the Director-General for Traffic (DGT) had been obtained during the phone call. The controller posited that the questions asked clearly demonstrated that the DGT data would be accessed by the controller.

The processor accessed the personal data from the DGT through bypassing the DGT’s authentication system: The processor entered the data subject's ID number and drivers license numbers into the DGT system in order to trick the system. It then provided its email address instead of the data subject's email address to receive the requested information, i.e. information on the balance of driving penalty points. The processor did this with several of its customers.

The controller then used the data collected by its processor in this way to supply customer's who had a low balance of driving penalty points with discounts on their policies.

When the data subject later logged into the DGT they noticed that an unfamiliar email address had been used which caused them to file the complaint. In the complaint the data subject detailed that they thought the requested information during the phone call related simply to the issue of the car insurance policy.

Holding

No legal basis

The AEPD held that the controller lacked a legal basis under Article 6(1) GDPR for accessing and processing the data received from the DGT. The transcripts of the phone call showed that the data subject's consent to the access of their penalty points had not been obtained. The AEPD found that the fact that the processor had access to the penalty points could only be inferred from the conversation but the processor did not clearly explain to the data subject that the DGT account had been accessed.

The AEPD therefore concluded that the true purpose of the processing, which was issuing discounts to individuals with a low penalty point score, was never disclosed to the data subject. Instead, the purpose communicated was merely the formation of the insurance policy contract. However, for the formation of the contract, the processed data was not necessary, therefore the controller could not rely on any legal basis under Article 6(1) GDPR.

No accurate instruction to the processor

The AEPD highlighted that the offence was of serious nature as it involved the unauthorised access to a state body’s data. The AEPD found that the controller had failed to include in the contract with its processor the need to obtain consent for the data processing. Specifically, the processor should clearly have explained to the data subject that the driving penalty points would be accessed by the processor in order to calculate discounts for the insurance policy. Therefore, the AEPD found the controller guilty of violating Article 28(3) GDPR as it did not provide its processor with the correct instructions in order to process data in accordance with the GDPR.

Fine

The fine is made up €100,000 for violating Article 6(1) GDPR and €200,000 for violating Article 28(3) GDPR with both violations being classified as very serious infringements. The AEPD considered that over a 12-month period a large number of data subjects were affected by the unlawful processing. The AEPD ordered the controller to bring its processing activities into compliance with the GDPR within three months.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/73

 File No.: EXP202202567

SANCTIONING PROCEDURE RESOLUTION

From the procedure instructed by the Spanish Data Protection Agency and based on the

following BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) on 01/14/2022 filed
a complaint with the Spanish Data Protection Agency (AEPD). The
complaint is directed against LÍNEA DIRECTA ASEGURADORA, S.A., INSURANCE AND REINSURANCE COMPANY, with NIF A80871031, (hereinafter, the
respondent or LÍNEA DIRECTA). The fact on which the claim is based is the following:

The exclusive insurance agent of LÍNEA DIRECTA, the company MAJOREL S.P.
SOLUTIONS, S.A., (hereinafter, MAJOREL), without obtaining your consent, has

checked the points balance associated with your driving license through the website of the Directorate General of Traffic (DGT). In order to make this query,
MAJOREL has previously obtained an access code from the DGT, for which it has
had to provide personal data of the claimant - the NIF and the date of issue of
his driving license - and an email address - in this

case, an address of which the claimant is not the owner - to which the DGT has sent the code. Once the code has been received, the information on the points that is
registered with the DGT has been accessed.

The complainant states:

“Today, 01/13/2022, I requested the price of car insurance from the insurance company Línea Directa Aseguradora. A mediator (MAJOREL SP
SOLUTIONS, S.A.U.) called me by phone […]. This entity has consulted my driving license points balance without my consent, through the DGT website, without a certificate.

They have entered my ID, my driving license issue date, on the DGT website, and have inserted an email that is not my property, without my
consent, so that the DGT could send them an access code to know my driving license points balance.
I have subsequently checked the email they have used by accessing the DGT website

and requesting the recovery of the code by email.
The email that appears to me is ***EMAIL.1 I decide to file a complaint since at
no time have I given my consent for them to carry out this
consultation on my behalf.” (Emphasis added)

With his complaint he provides:

- A screenshot with the heading “Government of Spain”, “Ministry of the Interior”, “General Directorate of Traffic” and which includes this

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/73

information: “Access code request. Step 2 of 2 - Verification of personal
data.”

Immediately below, in a box, the following data of the complainant appear:
first name, surname 1, surname 2, NIF and the date of issue of his driving license.
Next, in two boxes preceded by the headings “E-mail” and “E-mail verification”, this email address appears in both boxes: ***EMAIL.1. Finally,
preceded by the information symbol, this legend appears: “The email address that you provide us will be where you will receive your access code”.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was transferred to LÍNEA DIRECTA and
MAJOREL so that they could proceed with its analysis and inform this Agency, within a
month, of the actions carried out to comply with the requirements
provided for in the data protection regulations.

The transfer was carried out in accordance with the provisions of Law 39/2015, of October 1, on the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP) on 03/03/2022. The notification was accepted on that same date by

both entities as evidenced by the receipts included in the file.

A. Response from LÍNEA DIRECTA to the transfer of the claim and request for information from the Subdirectorate General for Data Inspection (SGID)

On 31/03/2022, the response was received from the Data Protection Officer
(DPD) of LÍNEA DIRECTA requesting that the claim be filed. Regarding the basis for the lawfulness of the processing, it invokes the concurrence
of two legal bases: sections a) and b) of article 6.1 RGPD.

It begins by referring to “three different facts” that in its opinion are
raised in the claim and that entail different data processing:

i. The first would be, in its opinion, the “request for insurance price” that the claimant
made to LÍNEA DIRECTA. He says that the legality of “attending to the request for
contracting an insurance for which a price has been requested” must be assessed and adds: “As it appears

from the call, the claimant had already entered all his data on the Internet to
obtain a quote, or at least had requested to be called (“We will call you for free”)

ii. The second fact consists of the “telephone call by MAJOREL”.

He explains that MAJOREL is the exclusive agent of LÍNEA DIRECTA, so we are

dealing with a data processor who acts on behalf of and in the name of that party.

Provides (document number 1) the Insurance Agency contract entered into between MAJOREL and LÍNEA DIRECTA on 04/14/2021 by virtue of which the exclusive Insurance Agency contract that both parties had signed on 09/01/2010 was adapted to the

provisions of Royal Decree-Law 3/2020, of February 4, on urgent measures by which various European Union Directives are incorporated into the Spanish legal system in the field of public procurement in certain sectors, including
private insurance.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/73

The data processing contract consists of thirty-five stipulations. It includes
Annex I, “personal data protection”, Annex II, “security requirements to be

implemented by the person in charge”, Annex III “Complementary to the RGPD Annex. Quality plan indicators”, and Annex IV, “Ethical Code”.

Document number 2 provides screenshots obtained on 04/30/2022
from the website of the General Directorate of Insurance and Pension Funds
(DGSFP) in which MAJOREL is registered as an exclusive insurance agent with

a contract with LÍNEA DIRECTA since 02/03/2011.

iii. The third fact is the “Consultation of DGT points”.

In response to the claimant's statement that the points associated with his driving

license were consulted "without his authorization or consent," the DPD of

LÍNEA DIRECTA alleges:

"It has been investigated whether this was the case, since the data processing contracts include, in clause seven, the need to obtain authorization to carry out any activity such as the one described. Reminders in this regard are also

included, as justified by the quality plans for external sales operators. This is provided as DOCUMENT

NUMBER 3."
(Emphasis added)

We now describe the two documents mentioned by the DPD:

a) The seventh clause of the Agency contract - provided as document 1 - which
establishes:

“INFORMATION AND PROTECTION OF CLIENTS DISTANCE MARKETING

In addition to the general obligations regarding information referred to in
previous clauses, when carrying out distance marketing, the Agency is obliged, prior to the conclusion of the products subject to intermediation under this Contract, to comply with the previous obligations

required in the specific regulations and specifically in the LSSICE and in the LCD in everything that is applicable to it.
Therefore, the Agency must identify itself as such in all calls and
comply with the remaining provisions for this purpose established under the referenced regulations.

Likewise, the Agency declares its capacity to obtain the express and legally valid consent of the clients for the performance of the actions prior to the contracting of the mediated insurance product in accordance with the provisions contained in the RGPD and in the LOPDPGDD and included in the RGPD Supplementary Annex attached to this contract, in accordance with the instructions that LINEA DIRECTA indicates in this regard.
[…].” (The emphasis is ours)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/73

b) The “quality plans for external sales operators” that the defendant insurer provides as document number 3, consist of a Word document in which part of the header of an email has been transcribed. On the

left side of the document it is indicated:
“Motor_calidad”. “Sent by Motor_calidad” “02/18/2020.17:12”.

On the far right, the “To” and “cc” sections are blank. In the “cc” section, several email addresses are included, of which the only one that
belongs to the “majorel” domain is: “***EMAIL.2”.

As “Subject”, it appears in the document “General sales guidelines operation”.
Immediately below this text is included, without any indication of its
origin or the document from which it was extracted:

<<15 POINT CAMPAIGN:
- Like any campaign, it can be applied if our price is higher or there is a
complaint from the client.
- You must ask if it has the 15 points.
- You must request proof of the 15 points or ask the client for
authorization to carry out the online consultation.

>> it is considered a medium incidence.
>> in quotation and/or closing.>> (The underlining is ours)

As documents numbers 4 and 5, the DPD of LÍNEA DIRECTA provides the recording of
the telephone conversation held between the MAJOREL worker/telephone operator

and the complaining party. The conversation is interrupted by the complainant's
lunch, hence there are two recordings.

The DPD makes these considerations regarding the audios of the conversations held

“ […]
b) It is observed in the conversation that the consultation of the DGT points is
carried out within the context of contracting a vehicle insurance policy, which
was finally contracted. Attached as DOCUMENT NUMBER 6 is the policy
that took effect precisely on the same day of the call, that is, on
01/13/2022.

c) The contracting of the policy, the price of which depends, among others, on whether or
not the 15 points are had, implies corroborating this information with the DGT.
The transcription of the recording is reproduced in this part (in bold and
underlined the points that affect this request):

• Operator: “I have an initial price of 501 euros, okay, it is initial, do you
have the 15 driving license points?”
• Customer: “Yes”
• Operator: “Ok, can you please tell me the date your license was issued?”

• Customer: “Yes, 31/05/2007”
(…)
• Operator: “Excuse me, can you repeat the date your license was issued?”
• Customer: “31/05/2007”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/73

• Operator: “Just a second while I make the enquiry”
• Customer: “Yes”
• Operator: “I’ll put you on hold and get back to you right away, okay?”

• Customer: “Of course”
(…) period of several minutes in which the enquiry is made to the D.G.T.
• Operator: “Thank you for waiting A.A.A., you currently have 11 points on your
driving licence”
• Customer: “I don’t know, I have all 15”
• Operator: “No, you have 11 because I just checked with the D.G.T., I don’t know if they

recently removed 4 points…”
(…) The policy is taken out by applying a discount and valuing the 11 points for
this among other points.

d) Note that reference is made to the possibility that the 4 points that

are supposedly missing have been removed “recently”, which implies that access has been made at that
“recent” moment to the DGT. In fact, the claimant himself provides a “screenshot” from his mobile phone of the access system to the
D.G.T. website. to consult his points, which leads us to assume that he knew the system used, or was familiar with it, so that he was aware that the only possible consultation to

compare his points balance was on the DGT website.

e) This DPD considers that it would have been more convenient and in line with the quality
policy for the operator to expressly indicate not only “should I make the enquiry?”,
but to have added “to the DGT,” or to use a formula such as “do you

authorize me to consult your points with the DGT? However, from the context of the
conversation, it is clear that when the operator indicates “just a second while I
make the enquiry (…) okay?” and the claimant answers “yes” or “of course”, it is because the

claimant was consenting and authorizing such a consultation, as can be seen from having left him on hold for more than two minutes, and that the

claimant waited patiently, and immediately afterward the operator resumed the conversation informing him of the points that he had “after consulting the D.G.T.”,

(here the operator literally says that the consultation was with the D.G.T),
which did not cause any surprise then, or that the policy was finally contracted.

f) We must also indicate that the consultation of the points does not require
express consent, as the claimant claims, which we set out in the
following allegation.” (Emphasis added)

The DPD concludes: “In short, the claim made is not well supported by the

content and tone of the conversation held, since after listening to it, it cannot

be denied that the claimant knew, at all times, that his points were going to be consulted with the
DGT and that this was done to improve the price of the insurance, which had already been given to him by the
operator.”

The DPD of LÍNEA DIRECTA provides two documents with number 6:

a) “The particular conditions of the automobile insurance policy no. ***REFERENCE.5”,
issued on 01/13/2022, in which the claimant appears as the policyholder and driver.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/73

Among the data included in the particular conditions, the section referring to
the “Premium” of the insurance stands out. In relation to the “Annual Premium” it says “Total annual...530.79€”.
Below, “Campaign discount...-265.39€”. And then: “To be paid...265.40€”.

b) A document that deals with two issues:
(i) “Information prior to contracting Línea Directa Aseguradora, S.A.”
(ii) “Information about the mediator”, structured in four sub-headings. The third of them, “Processing of personal data of the client” includes this
information:

“The person responsible for the file of the data of the clients who contract an insurance
is LÍNEA DIRECTA ASEGURADORA, S.A. which will carry out the treatments that are
detailed in the Privacy Policy that is available on the website of the
insurance company and is attached to the contractual documentation.

MAJOREL SP SOLUTIONS, S.A.U. will process the data provided by the clients,
for the mediation of the requested insurance, as the data processor of
LÍNEA DIRECTA ASEGURADORA S.A., following the instructions of
the insurance company.” (The emphasis is ours)

LÍNEA DIRECTA dedicates the fifth allegation of its response to the transfer to explain the
“Difference between “consent” and “authorization” to consult the points on
behalf of the claimant.”

It states that “the quality policy of Línea Directa has established, for all

operators and data processors, that authorization and consent be requested to consult the
points from the D.G.T., thus being completely explicit.”

He then states that, “in the present case, what would be required is an
authorization to consult the points online on behalf of the holder, in order to

apply a well-known advertising campaign
(https://www.lineadirectaaseguradora.com/-/15-puntos-seguro).”

He argues the following:

“The scope of this authorization is the general rules of the mandate, or

representation, regulated in arts. 1709 et seq. of the Civil Code which, as is known,
allows in art. 1710 Cc. that the mandate be express (express authorization), or
“tacit”, that is, that it be inferred or deduced from the acts of the agent, as happens
in this case, where although the operator does not use the recommended formula of “you
authorize me to consult your points before the DGT”, such authorization is tacitly

derived from the context of the conversation itself.

In fact, our Civil Code also regulates the management of third-party businesses without
a mandate, such as a quasi-contract (arts. 1888 et seq. C.c.), where, as art.

1892 Cc. states, “The ratification of the management by the owner of the business produces the

effects of the express mandate.” In this case, it is clear that, in the course of the
conversation, reference is made to the consultation of the D.G.T. and the obtaining of the
11 points is assumed in order to, with them, also apply a discount, which would imply the
ratification of the prior consultation itself.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/73

Now, once the authorization for the consultation of the points balance has been obtained
(tacit mandate ex. Art. 1710 Cc), or the consultation carried out to obtain the discount in question has been accepted

(ratification ex. Art. 1892 Cc), the use and treatment of the personal data "points balance" does not require express consent, unlike what the
claimant states." (The emphasis is ours)

LÍNEA DIRECTA concludes:

1. That the consent of the claimant was not necessary for the consultation of the
points on his license before the DGT. It states: "we are not faced with the need to
consent to the treatment of the points balance, since the legal basis for the
treatment of this information, necessary for the execution or celebration of the
contract, would be art. 6.1.b) GDPR, to the extent that the pre-contractual measure that necessarily required such processing was applied to the balance (discount campaign for 15 points).”

2. That, even if consent is required - a thesis that it denies - according to Recital 32 of the GDPR, valid consent is considered to be “any other statement or conduct that clearly indicates in this context that the interested party

accepts the proposal for processing of his or her personal data.”

3. According to Guidelines 5/2020 of the European Data Protection Committee, in
example 15, “consent may consist of actions such as waving at a
smart camera, or even in adverse contexts of imbalance,

such as the workplace, the European Committee considers it valid to sit in
a certain area to be recorded, since it is understood that the people who have sat in that place
consent to such recording. In other words, privacy legislation
does not require a rigid formula that only goes through “do you consent to your data being
processed?”, but rather consent can be inferred from the conduct of the

interested party, having analyzed the context in question, as long as there is clarity.”

4. That there was a tacit mandate from the claimant to carry out the consultation: “Well, after analyzing the context and taking into account the conversation, we believe that there is not only
a tacit mandate to carry out the consultation, but also consent derived
from the conduct of the claimant himself.”

5. In any case, it is not considered necessary to obtain consent for the
treatment of points balance “when this information is clearly necessary
to apply a discount for a specific campaign (art. 6.1.b) GDPR) - a discount
applicable for having a points balance to the extent that this reflects being a good

driver - but rather mere authorization (mandate or representation) to carry out the
consultation on behalf of the claimant, authorization that may be tacit, or that, even
if it does not exist, is remedied by its subsequent ratification (art. 1892 Cc).”

In the sixth allegation of its written response to the transfer – under the heading “Consultation of

points at the DGT informed by Línea Directa itself” – the DPD of LINEA
DIRECTA explains that the “balance of the points associated with the driving license
can be obtained in two ways:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/73

(i) by means of a certificate issued by the DGT or (ii) by means of an online balance
consultation, that is to say through the DGT website.

(i) It explains that obtaining a certificate by the user implies that he/she must
pay fees of 8.67 euros; present proof of purchase of said fees; fill out forms and submit them in person or online with a signature, “which
constitutes a very complex procedure”.

Then the DGT argues that, “Since the certificate system is not agile, and also

implies that the individual must pay 8.67 euros, the DGT has implemented an
online access system to the points balance, through a process in which the interested party's
NIF or NIE and the date of issue of the driving license are entered, as
additional validation data.

As an additional security measure, to avoid indiscriminate use by third parties, the
DGT includes the introduction of CAPTCHA, and an email to
obtain the balance at that time. This email can be for one-time use, since the
system allows changing such email with the next access. With the process, no more
information can be accessed than that strictly related to the points balance
existing at that time, so that no other operation before the Administration, or any other information of the interested party, is
accessible or feasible.”

He adds: “when the interested party has not generated online access to his balance, or for
speed and convenience, who is not forced to give his
access data (since it is enough to change the email address at the next access), or

when it is not feasible to have a certificate of points balance, this
consultation model can be used, which ends with the sending to the interested party of an
informative email of the consultation process followed before the D.G.T.

In other words, to avoid cases like the present one, as an additional measure to the

established consultation and information process, Línea Directa has implemented an
information process for the interested party by sending an explanatory email,
which allows to record having given this information.

We do not know the reason why the claimant has chosen not to provide the
explanatory email, which we consider relevant.” (The emphasis is ours)

He provides, among others, these documents:

-Number 7. It is a screenshot with the following information:
On the first line “SMTP server”.

In the “Time” and “Recipients” columns, respectively: “2022-01-13 18:11:06:137”
and “***EMAIL.3.”
As subject, “Línea Directa Aseguradora; DGT points consultation result”.

The respondent states that this document is a copy of the one sent to the

complainant on 01/13/2022.

-Number 8: The respondent refers to it as “the template of the email
sent to [the complainant] informing him/her of the query made and that he/she can

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/73

change the single-use email used to check the balance.” The text of the
document reads as follows:

“Dear {namegreeting}
We are contacting you, in accordance with the conversation
held, to inform you that we have made the query of points to the
General Directorate of Traffic with your authorization and consent.
Our only purpose is to be able to offer you the best price for your Insurance.
The current balance of points provided by the General Directorate of Traffic for

{full name} with DNI {NIF} is {points}
We inform you that we have automatically created a random, single-use email address, which you can modify if you wish, by accessing the traffic website www.dgt.es.”

-Number 9. Called by the respondent “Proof of correct sending of the three
emails”.

This is a screenshot obtained on 03/24/2022 showing the result
of three emails sent on 01/13/2022 from no-
reply@lineadirecta.es to the complainant's email address.

The first email was sent at 18:11:07 and was about the subject “Result of the
DGT point query”. The second, sent at 18:18:51, had the subject
“Welcome to Línea Directa”. The third, sent at 18:21:47, related to “Information document on the insurance product”.

-Number 10. “Summary of envelopes and headers”.

Through it, the receipt by the claimant on 01/13/2022 at
18:11:07 of the emails sent by LÍNEA DIRECTA is accredited.

The DPD of LÍNEA DIRECTA dedicates the seventh allegation of its writing to the
“Conclusions and decisions adopted regarding this claim”.

As measures adopted:
a) Check compliance with the quality plan. The aforementioned document 3.

b) Urge the exclusive agent, its data processor, to reiterate and reinforce compliance with the
quality plan referred to and provide the training required for its correct application.

c) That the data processor will implement specific audits.

d) That the data processor has informed him that the operator has been

sanctioned for a very serious offence and will be removed from the service to LÍNEA DIRECTA.

B. MAJOREL's response to the information transfer of the claim and request for information from the SGID

The DPD responds on 04/01/2022 and says that MAJOREL complies with the GDPR. It also
invokes two legal bases for the treatment: articles 6.1.a) and 6.1.b) of the GDPR.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/73

Informs that LÍNEA DIRECTA and MAJOREL signed on 04/14/2021 an exclusive insurance agency contract that replaces the one signed between both parties in 2010, which includes the motor insurance mediation service of the insurance company.

Provides (document number 1) a copy of the Agency contract. Indicates that the regulation
on data protection is found in the annexes to the contract: annex I,
which “contains the requirements of article 28 RGPD regarding the provision of
services as a data processor”; II, which includes the “security requirements

to be implemented by the data processor”, and III, regarding the “quality plan indicators
for compliance with the RGPD regulations”.

Provides (document number 2) the “ANNEX 01/2022 OF THE MOTOR SALES CAMPAIGN,
dated 01/01/2022, where the “motor sales” campaign is detailed

relating to the facts reflected by the claimant [...]”

Explains that “The exclusive insurance agent is an intermediary contractually
linked to a single insurance company (in our case, LÍNEA DIRECTA) that
by means of a contract undertakes to exclusively mediate the insurance of the
insurer [..].” That “MAJOREL markets LÍNEA DIRECTA insurance

determined by contract through its telephone platform by making and
receiving calls, acting as an intermediary between potential clients,
policyholders and insured and LÍNEA DIRECTA.”

He reports (second allegation of his writing) the causes that have motivated the

incident that has originated this claim and pronounces himself in the following
terms:
“he considers that there is no lack of consent from the claimant to the consultation of his
points before the DGT, since, as set out in the third allegation of this writing, the conduct of the claimant denotes as the only reason the omission of a mere

rigid formalism (specifically, not asking the interested party the question) since,
as we will explain later, it is clear that the claimant with his conduct
authorizes the consultation of the balance of his points with the sole objective of
benefiting from a discount on his policy.[…]”

The DPD (third allegation) makes the following clarifications regarding the claim

made by the claimant:

“The MAJOREL operator who makes the call to sell the car insurance,
formally does not request the express consent in a strict manner from the interested party,
breaching the internal regulations (orders and manuals) of the service established by

our client (LÍNEA DIRECTA) when consulting the driving license points at the DGT, although at all times [the claimant] is informed and authorizes
said consultation in the call itself (on several occasions) and, in addition, receives an email from LÍNEA DIRECTA in his
email after consulting his license points (an automatic email is generated sent from the Galgo system of LÍNEA

DIRECTA).

That is to say, [the claimant] is aware, at all times, that the operator of
MAJOREL carries out the aforementioned consultation of points and even disagrees on the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/73

them and, after consulting his points, receives an email informing him of this fact
with the exclusive purpose of being able to offer the best price for the insurance interested.

On the other hand, in the aforementioned automatic email that the claimant receives, he is informed of the creation of a random and single-use email address, which can be modified by the affected party when accessing the DGT website again.

From the above, it can be deduced that the procedure for consulting driving license
points is completely transparent, which reflects the exclusive purpose of being able to offer the
best price (discount) for the insurance to the interested party and without any other purpose or
benefit obtained from the consultation of points.

The operator is aware that the client receives the aforementioned email.

Therefore, the formal breach of the MAJOREL employee was not intended at any time to
hide access to the points on his driving license, but rather
shows a mere failure to follow step by step the protocols set out in the
service. In fact, in the call itself, the operator informs the interested party that he is
carrying out the consultation, leaving him on hold and, after accessing, informs him that after the
consultation he only has eleven points and not the fifteen necessary to benefit from the
sought discount, being authorized by the complainant who does not oppose the
action of the teleoperator. [...]
It is important to clarify to the AEPD that it is clearly inferred in the context of the
telephone conversation held that the interested party accepts the aforementioned consultation

of his points and is satisfied with the mediating action of MAJOREL, since
he agreed in the same call to contract the car insurance with LINEA DIRECTA,
which comes into force next April of this year.

The fact of disagreeing about the number of points on the driving license after informing

of the current points existing in the DGT, together with the fact that the teleoperator informs him and
puts him on hold while the consultation is carried out, reflects the consent derived from the
conduct of the claimant himself. That is, this claim denotes an intention to
twist reality a posteriori by relying exclusively on a rigid formula,
which is not intended by the legislator, when it clashes head-on with the conduct and acceptance
shown in the insurance marketing call.

[....]
Finally, MAJOREL could even consider (which it does not do, being a mere
data processor) that it is not necessary to obtain the claimant's consent
to check the balance of his points with the DGT, because this
information is clearly necessary to apply a discount for a specific campaign
that reflects being a good driver. All of this, through the mandate that is
granted to the insurer through the mediator.

The DPD (fourth allegation) communicates to the AEPD the decisions adopted after carrying
out the corresponding investigation and detailed study of the facts reflected in the
claim. In summary, the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/73

“A security incident is opened in the service related to the
detailed facts. Attached is a screenshot of the ticket registered in the corporate incident management software (SolveIt).”

“Disciplinary measures have been taken against the teleoperator specializing in the LINEA DIRECTA service who made the call to the claimant on January 13, 2022 (login ***REFERENCE.2) for failing to comply with orders, instructions, procedures and operations of the service where he worked and which were sufficiently known to the employee both in his initial training and in successive refresher training. MAJOREL Management decided to classify the offense as very serious with a penalty of suspension of employment and salary for 4 days and, after his reinstatement, he is removed from the LINEA DIRECTA service. At the simple request of that Agency, if deemed necessary, we will provide this document.”

In the fifth allegation, the DPO refers to the measures adopted to prevent similar incidents from occurring, the dates of implementation and the controls carried out to
check their effectiveness. He explains that this incident “is the first one received, so it is understood that the current training and implementation plan is
correct. Therefore, it is considered a one-off or isolated event.”

He says that, “within MAJOREL's general improvement plan, the following action plan has been identified, assuming that all MAJOREL teleoperators who
work in the LINEA DIRECTA service have received initial training and receive
periodic refresher training:”

He distinguishes between an “Internal action plan” and a “Coordinated action plan with LINEA
DIRECTA”. The following measures are developed in the “Internal action plan”:

“1. Change in the monitoring standard, establishing a specific reinforcement of DGT authorisation control from 04/01/2022, so that the existing obligation to

request consent and authorisation is reinforced. In the monitoring standard, the DGT question that MAJOREL will establish from
04/01/2022 is: "Do you obtain consent and authorisation from the client to
perform the DGT consultation?" and the possible answers will be:
- Yes; - No; - N/A

The volume of audits where this control point will be carried out is approximately 140 monthly audits
(2 audits per teleoperator with an average of 70 teleoperators in car and motorcycle insurance sales services)

2. Establishment of a fortnightly reminder with the points to be met in

calls regarding the consultation of driving licence points. The reminder currently in place, which is being communicated to the service's teleoperators, is attached, as well as the training that we have published to the entire service to emphasize the procedure and which is repeated periodically.

3. Reinforcement and reiteration of the specific point "DGT points consultation" in initial and ongoing training.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/73

4. Weekly analytical monitoring of calls with driver's license points consultation to the DGT."

He adds that specific audits are currently being carried out to control the correct application of the RGPD in the LINEA DIRECTA service. As of March 21, 2022, this control is replicated for the correct application of the license points consultation on the DGT website. There will be approximately 20 weekly audits
only to control this point, in addition to those mentioned above.

Provide these documents:

1. The Insurance Agency contract between MAJOREL and LINEA DIRECTA, signed on
04/14/2021 (number 1), whose twenty-third clause, "Data Protection", provides:

"In accordance with the applicable legal regulations regarding the Protection of
Personal Data, The Agency, in its capacity as the person in charge of processing the
data of LÍNEA DIRECTA as responsible, undertakes to comply with the content of the provisions of the Personal Data Protection
Annex, which is an integral part of this Contract as Annex I and III,
forming an integral part of it."

The contract includes four Annexes (I “Protection of personal data”, II
“Security requirements to be implemented by the data processor”; III “Complementary to the
RGPD Annex. Indicators of the Quality Plan for compliance with the RGPD regulations”, and IV “Code of Ethics”)

Annex I to the contract, “Protection of personal data”, states in its stipulation 2,
“Object of the processing order.”:

“2.1. By means of these conditions, the Data Processor is authorized to

process, on behalf of the Data Controller, the personal data necessary to provide the service subject to the Service
provision Contract signed between the Parties (hereinafter, the “Main Contract” or the
“Contract”). This Main Contract contains the detailed description of the services provided.

2.2. The processing that the Data Processor will specifically carry out will be only those strictly necessary to comply with the
object of the Main Contract. In accordance with the nature of such tasks, the Data Processor may carry out the processing activities indicated below:

x Collection
x Registration
x Structuring
□ Modification

x Conservation
x Extraction
x Consultation
□ Dissemination

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/73

x Interconnection
□ Comparison
□ Limitation

□ Deletion
□ Destruction
x Communication

2.3 The categories of personal data and personal data that the Data Processor must process for the execution of the obligations derived from the

fulfilment of the purpose of the Contract are the following:
o Customer data (name, surname, NIF, sex and telephone number).
o Data of potential clients (name, surname, NIF, sex and telephone number.

Provision 5 of this Annex I, “Obligations of the Data Processor” refers

in point 5.1.b) to “The marketing and promotion of LINEA DIRECTA insurance products
described in Annex 1 of this Contract, in strict compliance with the instructions received from the Insurer and adhering to the premium rates that it establishes at any given time.”

Annex III to the Agency contract, “Supplementary to the RGPD Annex. Indicators of the

Quality Plan for compliance with the RGPD regulations”, includes, among others, these
stipulations:

“In order to comply with the obligations regarding the protection of personal data included in the current legislation and in

the RGPD annex of 019/04/2018 signed by the Parties, MAJOREL, in its
capacity as the person in charge of processing Línea Directa's personal data, undertakes to carry out the following actions:

 MAJOREL must strictly comply with the obligation to

inform/read the clause regarding the processing of personal data (RGPD clause) provided by LINEA DIRECTA and collect the consent indicated in
the different operations, in the applications of LÍNEA DIRECTA or those designated
between the Parties for these purposes, all of this, in all communications with the
clients.

 MAJOREL must carry out audits on its own behalf of all communications to control this obligation and report the overall result of these to the Data Controller, LINEA DIRECTA.”

2. The “Annex to the exclusive agency contract 01/2022 of the Motor Sales Campaign”,

dated 01/01/2022 states:

In point I. “Definition of the campaign”:
“The campaign consists of: sending and receiving calls to clients with the
objective of contracting Línea Directa car and motorcycle policies”. [...]

Point II, “Duration”:
“The campaign will begin on January 1, 2020 and will end on January 31, 2022. At any time, LINEA DIRECTA may cancel the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/73

campaign referred to in this Annex by giving written notice 5 calendar days in advance and without giving rise to a claim for damages.” (Emphasis added)

THIRD: Admission for processing

On 04/07/2022, in accordance with article 65 of Organic Law 3/2018, of April 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), the claim submitted by the complaining party was admitted for processing.

FOURTH: Economic information on LÍNEA DIRECTA

According to the information obtained from the Axesor tool, LÍNEA DIRECTA

ASEGURADORA, S.A., COMPAÑÍA DE SEGUROS Y REASEGUROS, with NIF
A80871031, established on 05/04/1994, is the parent company of the LDA business group. The estimated sales volume for the year 2022 amounted to
***QUANTITY.1 and the estimated number of employees to ***QUANTITY.2.

FIFTH: Agreement to initiate proceedings

On 04/01/2024, the Director of the Spanish Data Protection Agency
agreed to initiate sanctioning proceedings against LÍNEA DIRECTA, in accordance with the
provisions of articles 63 and 64 of the LPACAP, for the alleged infringement of
articles 6.1 of the GDPR, infringement classified in its article 83.5.a), and 28 of the GDPR,

infringement classified in its article 83.4.

SIXTH: Notification of the initiation agreement

The initiation agreement is notified to the respondent party electronically, in accordance with the

rules established in the LPACAP, the notification being accepted on 08/01/2024, as evidenced by the receipt in the file.

SEVENTH: Request for extension of the deadline and copy of the file. Objections to the
initiation agreement “ad cautelam”.

1.- In a document submitted on 01/18/2024, LÍNEA DIRECTA requests, under article
32 of the LPACAP, “the extension of the deadline to respond to the Agreement to Initiate the
Sanctioning Procedure, with delivery to this party of as many reports and
actions as have been incorporated into the file”.

Next, in point 2 of that same document, it requests “subsidiarily” that

these allegations be considered “made ad cautelam and the documents that are incorporated with this document be provided.”

It also requests that the tests detailed in its sixth allegation be carried out.

2.- By means of two documents dated 01/19/2024, the investigating body grants the
extension of the period for allegations for the maximum legally permitted and provides
the respondent party with a copy of the administrative file.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/73

3.- Cautelam allegations to the start agreement presented by LÍNEA DIRECTA on
18/01/2024.

LINEA DIRECTA's allegations to the start agreement, structured in six
sections, refer to two fundamental issues: on the one hand, to the
exposure, and provision of documents, of the instructions that the
insurer in question gave to its data processor MAYOREL on the
processing operation that is the subject of this procedure. On the other hand, to the admission that the
complainant did not give consent to the disputed processing. LÍNEA DIRECTA

links the recognition that the complainant did not consent to the processing of its
data to the fact that MAYOREL and not it is considered the data controller. In
summary, the allegations are made on the following issues:

1. It communicates that it has terminated the processing on which the claim is based.

It states that “it no longer carries out the processing referred to in the agreement to initiate the
sanctioning procedure” and explains that this is because “the conditions of access

to the information for consulting the points have been changing over time, as
even shown in the verification carried out on March 15, 2023 as
set out on page 22 of the Commencement Agreement.”

However, it warns that, in any case, consultation was possible in January 2022,
“in the terms referred to in the request for information EXP202202567 that was
presented at the time and which we consider reproduced, provided that the

interested party was informed and their consent was requested, among other points that we will
detail later, all of them duly documented.”

2. It comments extensively (second allegation) on the characteristics of the “special context” in which the data processing in question was carried out.

-It indicates that, in addition to the existence of a contract for the processing of data, MAJOREL and its employees are subject to sectoral regulations that entail “the existence of particular training on the subject of data protection and particular transparency in the contracting process”.

-That the operator who made the telephone call to the complainant acted as an employee of MAJOREL, in his capacity as data processor, and identified himself as such. An issue that, on the other hand, is not called into question by the start agreement.

- That MAJOREL is registered in the administrative register of mediators dependent on the DGSFP with the code ***REFERENCE.1. It provides (document 3) a screenshot of the registration in the aforementioned register.

-That the performance of MAJOREL and its employees is doubly regulated:
Through the insurance distribution contract with its annexes, on the one hand. On the other,

because articles 140 to 145 of Royal Decree Law 3/2020 on
Insurance Distribution apply, in particular article 147.3.b) according to which “all persons who participate directly in the distribution of insurance possess appropriate
knowledge and skills by passing training courses
in accordance with the provisions of Title I and its implementing regulations”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/73

-That the training they receive “is regulated”: Article 165 of RDL
3/2020 mentions; Royal Decree 287/2021, of April 20, on training and submission of statistical-accounting information of insurance and reinsurance distributors, whose

article 7 provides that any employee must complete a training of at least 150 teaching hours, or up to 300 hours, depending on the level held. And
the Resolution of June 3, 2021, of the DGSFP establishing the
basic principles of training courses and programs for insurance and reinsurance distributors.

-He considers that the best proof (i) “of what has been stated about this qualified

training of employees” and (ii) of “the existence of documented instructions
given to the manager and his employees” “is that the resolution of this
Agency itself reflects on page 12 of 42 that MAJOREL classified the actions of its
employee as a very serious offense with suspension of employment and salary for failing to comply
with orders, instructions, procedures and operations.”

3. Under the heading “analysis of the Agency contract signed with MAJOREL and its

annexes” (third allegation) it reproduces the following stipulations of the contract:

- Clause seven, third paragraph: “Likewise, the Agency declares its capacity
to obtain the express and legally valid consent of the clients for the
performance of the actions prior to the contracting of the insurance product
mediated in accordance with the provisions contained in the RGPD and in the LOPDPGDD and
included in the Complementary Annex RGPD attached to this contract, in accordance

with the instructions that LINEA DIRECTA indicates in this regard”. (The underlining is
ours)

- Clause 5.1.o), section III: “That all authorized operators who have
access to the files of LINEA DIRECTA must comply with the provisions of the
insurance distribution regulations, […]”.

-Clause 5.1.o), section IV: “In any case, the Agency guarantees that all human

resources that it allocates to the execution of this Contract with LÍNEA
DIRECTA and that therefore handle the data in the files owned by LÍNEA
DIRECTA comply with all legal and contractual obligations.”

It then states that it has been duly proven that the MAJOREL employee breached the instructions given by LÍNEA DIRECTA, a statement that it

supports on these three elements: (i) the special training of the data processor
Majorel and its employees; (ii) “the existence of contractual provisions regarding
the need to request consent when this is required in the operation (as
proven, it was required) and that it is in accordance with the GDPR” and (iii) “due to the existence
of specific instructions for the processing that we analyze in the following
allegation”

4. It dedicates a specific section to “the instructions given to the person in charge of
processing for his employees.”

It says that the MAJOREL employee who attended the complainant by telephone did
not request the certificate of his points, nor did he request consent for its
obtaining, thus breaching the instructions given by LÍNEA DIRECTA, and being therefore
sanctioned for a labor violation. He cites MAJOREL's response to the transfer of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/73

claim, in which he states that the employee “does not request express consent
strictly from the interested party, breaching the internal regulations (orders and
manuals) of the service established by our client (LÍNEA DIRECTA) when making the
consultation of the driving license points at the DGT”.

He explains that these orders and manuals are the specification of detailed and

documented instructions on the treatments and include how to carry out the operation
in detail, so that they “go even beyond the mere reference to documented
instructions of art. 28.3 RGPD”.

He provides these documents as evidence:

-With number 5, screenshots of the computer application “Manual Cartera”.
It documents and records the instructions that all operators must comply with, in particular the employees of a data processor, such as MAJOREL.

It provides an extract obtained from that application that corresponds to the so-called
“GENERAL SALES GUIDELINES OPERATION” dated 02/18/2020, in the part
corresponding to the 15-point campaign. Access is provided to the notification that was sent
to MAJOREL, from which an extract in Word with this information was provided to the Agency, with the response to the transfer of the
claim: “15 POINT CAMPAIGN: -

Like any campaign, it can be applied if our price is higher or there is a complaint
from the client. - You must ask if it has the 15 points. - You must request proof
of the 15 points or ask the client for authorization to make the online consultation.”

It is verified that the sales operation was sent on 02/18/2020 at
17:08:54 by means of an email sent by B.B.B. on behalf of
Motor/Línea Directa and the recipients of the message, among them it is stated that a copy was sent

to the address ***EMAIL.4.

In addition, it provides a report prepared by the quality department of LINEA
DIRECTA after having audited MAJOREL in 2022 (Majorel sales
2020 Report) which comments that it includes the same incident that has occurred in the
analyzed factual situation and that it implements reinforcement plans to remind the
importance of requesting consent.

In document 7.bis, “Majorel sales report 2020” there is a mention of this

incident: “DGT or 15 points. Apply it without a price complaint and do not indicate/ask for permission
to make the query through the DGT website”.

And as a reinforcement measure, the following is included in the document:
“DGT CONSENT. We remind you of the importance of asking
authorization/consent from the client to be able to make the DGT query in the
context of applying the 15-point Campaign. As you know, this is a matter of

special legal relevance and we must do it with great care. The fact of asking
for the date of issue is not enough, we must mention in the call for which we
ask: "to make the query to the DGT". Sometimes we omit that it is to
make the query to the DGT.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/73

5. The longest section of the allegations is devoted to the “analysis of the
documented instructions of LÍNEA DIRECTA for the operators employed by MAJOREL”.

The respondent's analysis of the instructions given to its data processor
ends with two conclusions. The first is that there was a contract of assignment with its
annexes and that there were also documented instructions whose non-compliance
generates penalties. The second is that the data controller subject to this procedure is not LÍNEA DIRECTA but MAJOREL.

LÍNEA DIRECTA maintains that, as indicated in the response to the request for information,

the operator employed by the MAJOREL manager “was not rigorous in the
application of the instructions given, without prejudice to the fact that, honestly, from the context
and tone of the conversation we believe that the interested party did have knowledge that the
consultation was made [...] Be that as it may, for the purposes of Línea Directa it is relevant to remember
that, in accordance with art. 28.10 RGPD, the person responsible for these breaches would be
MAJOREL, and not Línea Directa.”

It bases this statement on the conclusion that this is concluded on page 19 of the initiation agreement, which
states: “If it is true that MAJOREL, through its employee, acted outside the
instructions supposedly received from LÍNEA DIRECTA, it would be, by virtue of
article 28.10 of the RGPD, the person responsible for the processing of the claimant's data
on which this initiation agreement is based. Let us remember that article 28 of the GDPR provides:
Without prejudice to the provisions of articles 82, 83 and 84, if a data processor infringes this Regulation when determining the purposes and means of processing, he shall be considered a data controller with respect to such processing.”

Provides and describes the following documents:

- A Certificate issued by MAJOREL in which this data processor
declares that:

(i) the email sent on 02/18/2020 by LÍNEA DIRECTA to the address
***EMAIL.4 was received correctly.

(ii) That this email address was the one that MAJOREL provided to LÍNEA DIRECTA
“as valid for receiving information on campaigns such as “15 points” among
others.”

(iii) That it makes available to the Agency, if necessary, the documents

that prove the specific training received by the employee who assisted the complainant, as well as the measures that were adopted for his performance on the occasion of
the call to the complainant.

(iv) That the instructions received from LINEA DIRECTA are documented in orders
and manuals that are complemented by training sessions.

(v) That the “LDA Emisión Motor Manual” (version 13/07/2021) that is provided as an

annex corresponds to the orders and manuals in force in January 2022.

-The document “LDA Emisión Motor Manual” (number 8) offers the following
information:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/73

a. Explain, section 9.3, under the heading “DGT 15 Point Discount” what DGT points consist of.

b. Indicate that the consultation of points requires consent and authorization to
do so, that it will be valid for three months and will be carried over into any

budget made in that period of time. At the time of the consultation, the
customer will receive an informative email with the result of the consultation.

c. For customers who do not wish to have the consultation carried out by LÍNEA DIRECTA,
“the old campaign can be used, which we will see later.”

d. The steps of the procedure to follow for the consultation of points by
LÍNEA DIRECTA are detailed, in general terms, as follows:

1. Before consulting the DGT points, the quote must be completed to inform the
initial price and see if it is necessary to apply the campaign.

2. (…)

The OLD DGT POINTS CAMPAIGN is mentioned with this information:

“Whenever possible, we must apply the NEW campaign, but in some

cases it will not be possible. We will use the old campaign (…).

When the client tells us that (…) he has the 15 points on his license, we inform him
that to qualify for this promotion he must send us proof of points. When
applying the campaign, (…).

The instructions for downloading the proof from the DGT are given below.

-Document dated 04/21/2021 to raise awareness among employees of the need to
ask permission to consult points with the DGT (document number 10)

EIGHTH: Second allegations of the respondent party to the start agreement.

On 29/01/2024, LÍNEA DIRECTA submitted a second written statement of allegations in
which it requested that the statements it submitted "ad cautelam" be considered definitive; that the documents it submitted with its first written statement of allegations, dated
18/01/2024, be considered provided, as well as those it included in its second written statement of allegations:
a complete transcript of the telephone conversation held with the claimant
and the MAJOREL employee after the call was made.

It also requests that the evidence presented in the sixth allegation of the written statement of allegations "ad cautelam" dated 18/01/2024 be considered as requested.

NINTH: Denial of the evidence requested by Línea Directa in its written statement of allegations of 18/01/2024.

1. The respondent requested in its allegations to the opening agreement, in order to
justify what is stated therein, the practice of the following tests:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/73

“1. That the responses be considered incorporated, with documents attached to them, presented at the time in response to the requests for information,

both by the entity MAJOREL, and by Línea Directa Aseguradora.

2.That the MAJOREL entity be required to provide […]:

a) In accordance with point 5 of its certificate provided as document number 8 of this
writing, the justification of the training courses carried out by the operator D.

C.C.C., with login ***REFERENCE.2.

b) Supporting documents for the disciplinary measures adopted by MAJOREL
against the teleoperator (login ***REFERENCE.2) who made the call to the claimant
on January 13, 2022 for failing to comply with orders, instructions, operational procedures

of the service where he worked and which were sufficiently known to the employee
both in his initial training and in successive refresher training.

c) Contribution in electronic format of the email of February 18, 2020
sent to the address ***EMAIL.2 , or failing that, contribution of the properties of
said email and its attachment.

d)Provision of documents for reminders of penalties, as well as for courses or employee training sessions given on dates immediately before and after January 13, 2022, in particular for penalties for failing to comply with the “15 points” campaign and not indicating or requesting permission to consult the DGT website, in particular for penalty reminders of July 31, 2020 and April 21, 2021.”

2.Article 77.3 of the LPACAP establishes that the “instructor of the procedure may only reject the evidence proposed by the interested parties when it is

manifestly inappropriate or unnecessary, by means of a reasoned resolution.”

The investigating body, after examining the file and the proposed evidence,
considers that, with the exception of the request included in point 1 – “That the responses be considered
incorporated, with documents attached to them, presented
at the time in response to the requests for information, both by the entity
MAJOREL, and by Línea Directa Aseguradora.”-, the rest, detailed in point 2,
are absolutely unnecessary and therefore their
practice was inappropriate.

This conclusion is based on the fact that its purpose was to reinforce the claim of LÍNEA

DIRECTA that it provided documented indications to its data processor MAJOREL, a matter on which the respondent entity has made a detailed analysis in its
allegations to the opening agreement and has provided abundant supporting
documentation. The proposed evidence would seek to further reinforce
two points that are not the subject of discussion in view of the documentation provided

attached to the allegations: That the MAJOREL employee had received adequate

training in the matter and that the employee failed to comply with the orders and instructions of

his employer provided through the insurance company being claimed, the failure to comply with the action protocol regarding the 15-point campaign that he was

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/73

obliged to follow, which determined that he was disciplined by the

company. The issue that the investigating body takes into consideration in order to estimate that the practice of the proposed tests is not appropriate is not only that they were unnecessary
to the extent that there is already sufficient evidence of the points that are to be proven, but, fundamentally, that, contrary to what the respondent party
considers, from the point of view of non-compliance with data protection regulations, this issue does not affect the application of article 28.10 of the GDPR.

This is because the factual condition to which article 28.10 of the GDPR links the
legal effect of considering the processor responsible for the treatment is that the processor infringes the GDPR when determining the purposes and means of the treatment. This is
different from the fact that the processor has not complied with the orders and instructions that the controller
provided him in a documented manner.

The deviation from the purposes and means of the processing referred to in article 28.10 of the
RGPD is connected with the purpose of the processing designed by the controller and
with the means provided for its fulfillment: in this case, the consultation of the balance of
points held by the DGT using the DGT website, authenticating the

MAJOREL employee with the claimant's data (NIF and date of issue of his card) and providing an email address that the interested party does not know
where he receives the access key to the information. In such a way, there is no
deviation in the purposes and means of the processing when the person in charge deviates from the
instructions and does not obtain the consent of the claimant to consult his balance of

points through the DGT website but the data is processed for the purpose
intended by the controller and on his behalf. This and nothing else is the correct meaning of
Article 28.10 of the GDPR, so the erroneous comments on the matter that
were included in the start agreement cannot alter the true meaning of
the rule.

TENTH: Diligence of incorporation of documents

By means of a diligence signed on 11/14/2024, the investigating body records the
incorporation into the reference file of the claim filed and its
attached documents; of the documents generated and obtained by the SGID during the

transfer of the claim and information request; of the written allegations
presented by the respondent party and its attached documentation, as well as the
screenshots of the DGT website obtained on 03/15/2023.

ELEVENTH: Proposed resolution

On 11/21/2024, the investigating body issues the proposed resolution of the
sanctioning procedure in these terms:

<<1. That the Director of the Spanish Data Protection Agency shall sanction
LÍNEA DIRECTA ASEGURADORA, COMPAÑÍA DE SEGUROS Y REASEGUROS,
S.A., with NIF A80871031, for an infringement of article 6.1 of the GDPR, classified in

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/73

article 83.5.a) of the GDPR, with an administrative fine (article 58.2.i, GDPR) for an
amount of €100,000 (one hundred thousand euros)

2. That the Director of the Spanish Data Protection Agency shall sanction
LÍNEA DIRECTA ASEGURADORA, COMPAÑÍA DE SEGUROS Y REASEGUROS
S.A., with NIF A80871031, for an infringement of article 28 of the GDPR, classified in article 83.4.a) of the GDPR, with an administrative fine (article 58.2.i, GDPR) for an amount of €200,000 (two hundred thousand euros)

3. That the Director of the Spanish Data Protection Agency orders
LÍNEA DIRECTA ASEGURADORA, COMPAÑÍA DE SEGUROS Y REASEGUROS
S.A., pursuant to article 58.2.d) of the GDPR, within three months from the date the sanctioning resolution was enforceable, to prove that it has adopted the necessary measures to adjust its actions to the provisions of articles 6 and 28 of the

GDPR.>>

TWELFTH: Objections to the proposed resolution

On 04/12/2024 LINEA DIRECTA presents its objections to the proposed resolution in which it requests that the procedure be considered completed in a timely manner and

reiterates the request that "the evidence included in our previous letter be admitted, consisting of requiring the MAJOREL entity to provide [...]:

e) In accordance with point 5 of its certificate provided as document number 8 of the
previous letter, the justification of the training courses carried out by the operator

D. C.C.C., with login ***REFERENCE.2.
f) Supporting documents for the disciplinary measures adopted by
MAJOREL against the teleoperator (login ***REFERENCE.2) who made the
call to the claimant on January 13, 2022 for failing to comply with orders,
instructions, operational procedures of the service where he worked and which were

sufficiently known to the employee both in his initial training and
in successive refresher training.
g) Electronic submission of the email of February 18, 2020 sent to the address ***EMAIL.2, or failing that, submission of the
properties of said email and its attachment.
h) Submission of the penalty reminder documents, as well as

employee training courses or sessions given on dates immediately before and after January 13, 2022, in particular
penalties for failing to comply with the “15 points” campaign and not indicating or
requesting permission to consult the DGT website, in particular penalty reminders of July 31, 2020 and April 21, 2021.”

(Emphasis added)

The respondent structures the arguments it invokes through these headings:

1. First, under the heading “Aspects included in the agreement to initiate the

sanctioning procedure that have been ignored”, it draws attention (i) to what it
calls “some questions of legality that were present in the Agreement to
initiate this procedure, which have been ignored” and (ii) to others “that are
specific to the insurance sector legislation”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/73

(i) Regarding the questions of legality that have been overlooked.

The respondent says:

“Thus, first of all, we were informed in the Agreement to Initiate the Sanctioning Procedure
that the subject of the infringement would be the data processor
MAJOREL, in application of art. 28.10 RGPD, if it was possible to prove that, in fact,
instructions had been given to said processor to obtain consent.

Indeed, page 19 of the Agreement to Initiate the Sanctioning Procedure invited
proving that the instructions had been sent to the processor. The page indicated
(the underlining and bold are ours, emphasizing the adverb “supposedly”):

If it is true that MAJOREL, through its employee, acted outside the
instructions supposedly received from LINEA DIRECTA, it would be, by virtue of
Article 28.10 of the GDPR, the controller of the claimant’s data about which this initiation agreement is based. Let us recall that Article 28 of the GDPR provides:

Without prejudice to Articles 82, 83 and 84, if a data processor infringes this Regulation when determining the purposes and means of
processing, it shall be considered a data controller with respect to such
processing.”

Why was the referral of such instructions to the processor in the
Initiation Agreement questioned? Because it was stated in the Commencement Agreement that these

instructions on the treatment of the “15 points” had been sent to an email address other than the one specified in the contract of art. 28 RGPD signed between the
parties, therefore not giving them legal validity for the purposes of said art. 28 RGPD. Thus, page 34 of the Commencement Agreement stated that:

If, as LÍNEA DIRECTA claims, the proof that it complied with article 28.3 of the
RGPD, that is, that there were instructions addressed to its manager regarding the
processing operation that is the subject of the claim, is a document that partially
transcribes an email that was sent on 02/18/2020 from “Motor_calidad”,
in which the recipient is not indicated and whose text does refer to the
15 points campaign, the consultation of the points balance through the DGT application and the need to obtain the consent of the data owner, it would be
necessary, at least, to prove that the electronic message was sent to
the email address indicated in the contract for the purposes of notifications between the contracting parties
(in this case, stipulation twenty-first, to ***EMAIL.5).

Thus, we can affirm that the Agency contract signed between LÍNEA DIRECTA and MAJOREL – in which, by requirement of article 203.2 of RDL 3/2020
(…) all the details relating to the processing order referred to in article 28.3 of the RGPD must be included – is missing a reference to the processing operation
(of its object, purpose, nature and data processed) which consists of consulting the balance

of points of the applicant for car insurance through the DGT website.” (Emphasis added)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/73

He states that “On the basis of what was indicated then, [in the start agreement] this
party provided abundant evidence that we will refer to later, and requested the practice of other evidence that
has been denied, with respect to proving the transmission and the legal link of

such instructions given to the person in charge, as we indicated in the first allegation regarding
the denial of evidence.” And he adds that such instructions were seen
in the start agreement as received by MAJOREL since the employee who breached them had been sanctioned in
consideration of them.

ii. It indicates that the legislation on insurance “requires checking all the

circumstances that may influence the risk (article 10 Law 50/1980, of 8 October, on Insurance Contracts - hereinafter LCS), among which, obviously,
may be being a good driver in order to reduce the price of the insurance.” In addition,
it makes a brief reference to the principle of sufficiency of the premium and the criteria in
consideration to which insurers are obliged to calculate the amount of the

premium.

iii. It is worth mentioning the following statements made by LINEA DIRECTA in the section of the preliminary allegation, given their relevance:

“It should be noted that the balance of points is not taken into account, but only if you have

“the 15 points”, that is, what in Spain is equivalent to being a good driver for having

received a bonus or having taken awareness courses (which is not even comparable to an administrative infraction), since the Spanish system is completely
different from that of Latvia, Germany and other countries in our environment.”

It states that the Agency has made “an extensive interpretation of the sanctioning law
to points not expressly reflected in the offending rule, as we will say later
(fourth allegation), and even contrary to art. 27.2 LO 3/2018, of December 5,
Protection of Personal Data and Guarantee of Digital Rights
(LOPDGDD hereinafter), which even allows administrative violations to be dealt with

with the consent of the interested party.”

It also maintains that the “15 points” campaign “was embedded” in its
commitment to road safety “to value, by rewarding in the calculation of the premium, the
effect of being a “good driver” through a substantial discount on the price. That is,
only the driver who had the “15 points” bonus could be

deserving of a discount, and this because the law allows it as there is less risk
in these people.”

He concludes: “In short, the only thing that was intended was to convert the bonus points given
by the Administration into a saving for the insured who requested it, because

the law allows a lower premium to be set on the basis of certain and reliable data, since the
premiums cannot be set freely without further ado, and also indicating that consent must be taken into account, as even art. 27.2 LOPDGDD allows.”
(The emphasis is ours)

RESPONSE NOTE:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/73

2. The first allegation is entitled “Regarding the proposed evidence: denial
based on art. 28.10 RGPD when the proposed evidence served to justify the
existence, receipt and legal binding of the instructions given to the person in charge, for

the purposes of the alleged infringement consisting of the nonexistence of a contract under art. 28
RGPD”.

In this section, it sets out its disagreement with the inadmissibility of the evidence agreed by
the investigating body and with the reasons on which it based such decision and says:

“The investigating body, after examining the file and the proposed evidence,
considers that, with the exception of the request included in point 1 (…) the rest
- detailed in point 2 - are absolutely unnecessary and therefore
their practice was inappropriate. (…).

This conclusion is based on the fact that its purpose is to reinforce LÍNEA
DIRECTA's claim that it provided documented instructions to its data processor MAJOREL, a matter on which the respondent entity has made a detailed analysis in
its allegations to the opening agreement and has provided abundant supporting documentation. The proposed evidence would seek to

further reinforce two points that are not the subject of discussion in view of the
documentation provided attached to the allegations: That the MAJOREL employee had received adequate training in the matter and that the
employee failed to comply with the orders and instructions of his employer
provided through the insurance company being claimed, the failure to comply

with the protocol of action relating to the 15-point campaign that he was obliged to

follow being what determined that he was disciplined by the company.

In the face of the reasons on which the investigating body based the inadmissibility of the
proposed evidence - that they were unnecessary insofar as the points that were intended to be proven had

already been proven and that this evidence in no way affected

the application of article 28.10 of the GDPR - LÍNEA DIRECTA considers that if the
proposed evidence had been unnecessary, it would not be possible to sanction, as the
proposed resolution does, for failure to comply with article 28 of the GDPR.

“However, with all due respect, either the evidence is necessary and must be
carried out to prove that Línea Directa has given binding instructions
to MAJOREL that have been breached, and if this is the case, there would be no sanction for
violating art. 28 RGPD; or, if the proposed evidence is really
unnecessary, there would be no sanction for violating art. 28 RGPD, applying in
such a case, it is copied literally, that “the employee breached the orders and
instructions of his employer provided through the insurance company
claimed.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/73

And adds: “The key to this dilemma is that evidence cannot be denied unless it
is manifestly inappropriate or unnecessary, and the right to evidence must prevail in case of doubt.”

He states that “the evidence proposed by this party in the administrative process is evident

as pertinent and useful from the moment in which it is proposed to sanction my
representative, since with such evidence it will be proven that Línea Directa not only imposes
specific instructions on MAJOREL, but also requires that specific training courses be carried out for the operator on the basis of such instructions (that is, that
they do not simply remain on “dead paper” in a contract between merchants), and even
penalizes MAJOREL economically if they are not complied with, since we requested that the entity MAJOREL be
required to provide before this worthy Agency and in relation to
the issue at hand:

“Said practice of evidence is reiterated in this act, since it deals with documents
that can only be provided by MAJOREL, in particular all those related to

the relations between employee and employer.
Please note that, as indicated on pages 40 and 41 of the Proposed Resolution, one of the key points imputed to these instructions is that consent as such was not required, but merely authorization to verify that “the 15 points” were available. However, “consent” is what Línea Directa requested from MAJOREL and what is made explicit in the Manual provided and in the training courses, and it is precisely for its non-compliance that the worker was sanctioned.”

The respondent reproduces below these fragments of the proposed resolution:

“[…] asked the complainant the question of whether he agreed to be consulted on his points balance. LINEA DIRECTA has provided, with its allegations to the start agreement, various documents that prove that there were documented instructions regarding the fact that, in relation to the so-called 15 points of motor sales campaign, it was mandatory to request the customer's consent to consult their points balance and inform them that the consultation is made to the DGT. But it forgets

DIRECT LINE that the processing operation that MAJOREL employees could carry out, consisting of consulting the balance of points in
the DGT file, had to have a basis for legitimacy of those exhaustively collected in article 6 of the GDPR and that in order to be based on the consent of the interested party, it was necessary that the elements collected in article 4.11 of the GDPR were present, that is, that the

consent consists of a manifestation of free, specific, informed and unequivocal will (…)”

After which, it concludes that the fundamental right to use the means of proof has been violated (ex article 24 of the Spanish Constitution):

“For all the reasons stated above, and because, in essence, the instructor is not persuaded of
the existence and transmission of the instructions given when maintaining the sanction of art.
28 RGPD, it is considered that the proposed test would shed light on the reality of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/73

the receipt of the instructions that we have provided documented by Línea
Directa, in particular in the training courses that the worker has had to take.

[…] the legislator only allows, and by means of a reasoned resolution, to deny
“manifestly” inappropriate or unnecessary evidence, or what is the same, non-
practice is only possible in cases where such unnecessaryness or
inappropriateness is absolutely evident, which is not noticeable in cases such as the present one in which, in the paragraph
following the denial of the evidence, the Proposed Resolution ends
by sanctioning for not proving the existence of the instructions given.”

The resolution itself supposes a violation of the fundamental right to use means of
proof ex. Art. 24 CE and, in this sense, we cite the STC 35/2006, of 13 February, in which the violation of fundamental rights in the
processing of the administrative sanctioning procedure is assessed, pointing out “…such violation

could not be cured in the administrative litigation process, since as stated in the STC
59/2004 of 19 April FJ 4, “the subsequent administrative litigation process can never
serve to remedy possible injuries to constitutional guarantees
caused by the Administration in the exercise of its sanctioning power. This is so, among other reasons, because the object of the administrative litigation process is
the review of an administrative act of imposition of a sanction.”

He also mentions STS 1599/2023, of November 29, 2023 and the STSJ of Madrid,
Contentious Chamber, judgment number 527/2024 (Roj: STSJ M 11243/2024
- ECLI:ES:TSJM:2024:11243) of October 25, 2024, which recalls that the
application of the denial of evidence in administrative proceedings must necessarily

be restrictive:

Finally, he adds that “the proposed evidence, insofar as it affects data of a
third party (MAJOREL and MAJOREL employees), could only be provided at the request
of the sanctioning administration.”

3. The second allegation is entitled “On compliance with art. 28 RGPD”.

LINEA DIRECTA begins by saying:

The resolution proposal states that the treatment “is not contemplated in the

Agency contract (in which the agreement for the processing assignment must be included); nor in the main contract nor in any of its annexes” and although the existence of the instructions given and the documented record of the same are
recognized, it is indicated that these documents are not legal acts in the strict sense.”

Next, the respondent reproduces two paragraphs of the written proposal for a
resolution that are not correlative, since the first paragraph reproduced is followed by
several others in the same sense that have been omitted. We transcribe below the
two paragraphs of the proposal that the respondent has reproduced:

“All the arguments that it adduces and the documents that it provides in the process of
allegations to the opening agreement are related to the indications to which
the person in charge had to adjust his performance, thereby completing the
documentation provided with the response to the transfer. The documents

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/73

provided with the allegations to the start agreement consist of screenshots that prove that the defendant has a computer application
in which the instructions given to the managers and their employees are recorded and that

allows access to the history of these instructions, to the point that it has been able to access the electronic message sent 02/18/2020.17:12
with a copy, among others, to the address of the domain “majorel” ***EMAIL.2 referring
to the “General sales guidelines operation”.”

“In any case, it is necessary to highlight that none of these documents

has the nature of an act or contract that legally binds the parties,
as required by article 28.3 of the RGPD in relation to the order of treatment.
In short, the Agency contract included in the file, provided as a contract for the processing of data between LÍNEA DIRECTA and MAJOREL, does not
include any of the indications that make up its mandatory content, to which article 28.3 of the GDPR

refers.

LÍNEA DIRECTA objects that such a conclusion of the resolution proposal differs from the
recommendation of the European Data Protection Committee (EDPC hereinafter) in
section 118 of Guidelines 7/2020, "which states that these instructions may
be in writing, as an alternative to being included in a contract or in an

annex, for example, in an email. The EDPC points out in section 118 of
Guidelines 7/2020: "The instructions provided by the data controller must be documented. To this end, it is recommended to include a
procedure and a template for providing future instructions in an annex to the
contract or other legal act. Alternatively, instructions can be given in

any written form (e.g. by email) and in any other documentary form, provided that it is possible to keep a record of such
instructions.”

He adds that “the essential thing reflected in art. 28 RGPD, as previously required by art. 12 LO

15/1999, of December 13, is that the person in charge of the treatment is bound by
the instructions provided by the person responsible, that is, that they have legal effect
for the person in charge. In our case, this link is such that even Línea Directa
applies penalties to MAJOREL for failing to comply with these instructions that are
materialized in a Manual, as we have alleged and justified.”

“Therefore, please note that a certificate issued by the data processor MAJOREL has been provided, which attests that (i) this manual exists and existed at the time of the events, (ii) that the instructions were received at the email address indicated for this purpose by MAJOREL, as well as that, obviously, (iii) such instructions are those generated by and for Línea Directa. This certificate was provided

with various annexes as DOCUMENT NUMBER 8 of our previous
allegations. Part of it is reproduced:

4. It invokes the application of article 10 of Law 50/80 of the Insurance Contract Law
and the sectorial insurance regulations. The violation of the principle of proportionality and

of the non bis in idem principle and that the mention of the CJEU is an extensive application
in malam of the sanctioning regulations.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/73

From the actions carried out in this procedure and from the documentation in the file, the following have been proven:

PROVEN FACTS

FIRST: On 01/14/2022 the claimant filed a claim in which he

states that on 01/13/2022 he requested the price of the car insurance from LÍNEA DIRECTA and subsequently received a phone call from the mediator MAJOREL "who
has consulted my driving license points balance without my consent,
through the DGT website, without a certificate."

He explains that “They have entered my ID number, my driving license issue date, and inserted an email address that is not mine, without my

consent, so that the DGT could send him an access code to find out my driving license points balance.” “[…] I have checked the email address they have
used by accessing the DGT website and requesting the password recovery by
email. The email address that appears is ***EMAIL.1.” (The emphasis is ours)

SECOND: The complainant party

provides a screenshot with the following heading: “Government of Spain”,
“Ministry of the Interior”, “General Directorate of Traffic”. Next, he includes this
information:

-“Access code request. Step 2 of 2 - Verification of personal data.”

- Below, in a box, the name, surname 1, surname 2, NIF and date of issue

of the driver's license of the claimant.
-Below, in two boxes with the headings “E-mail” and “E-mail verification”, the
e-mail address: ***EMAIL.1.
-Finally, preceded by the information symbol, the legend “The e-mail address that you
indicate will be where you will receive your access code”.

THIRD In the file, provided by LÍNEA DIRECTA (documents 4 and 5
attached to the response to the transfer), there is the recording of the telephone conversation
that the claimant and the MAJOREL employee had. The partial transcription of
that recording says:

“• Operator: “I have an initial price of 501 euros, okay, it is initial, do you
have the 15 driving license points?”
• Customer: “Yes”
• Operator: “Ok, can you please tell me the date your card was issued?”
• Customer: “Yes, 05/31/2007”
(…)

• Operator: “Excuse me, can you repeat the date your card was issued?”
• Customer: “05/31/2007”
• Operator: “Just a second while I make the enquiry”
• Customer: “Yes”
• Operator: “I'll put you on hold and get back to you right away, okay?”

• Customer: “Of course”
[silence]
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/73

• Operator: “Thanks for waiting A.A.A., you currently have 11 points on your
driving license”
• Customer: “I don’t know, I have 15”

• Operator: “No, you have 11 because I just checked with the D.G.T., I don’t know if they recently
removed 4 points…” (Emphasis added)

FOURTH: LÍNEA DIRECTA states (in response to the complaint transfer) that “Taking out the policy, the price of which depends, among other things, on whether or not you have the
15 points, implies corroborating this information with the DGT.” (The emphasis is ours)

FIFTH: LÍNEA DIRECTA provides (response to the transfer of the claim) the template
of the text of the “explanatory email” that it claims to have sent to the
complainant informing him that he made a query of his points with the DGT on
01/13/2022. The template (document 8 attached to the transfer) says:

“Dear {namegreeting}
We are contacting you, in accordance with the conversation
held, to inform you that we have made the query of points to the
General Directorate of Traffic with your authorization and consent.
Our only purpose is to be able to offer you the best price for your Insurance.

The current balance of points provided by the General Directorate of Traffic for
{full name} with DNI {NIF} is {points}
We inform you that we have automatically created a random, single-use email address, which you can modify if you wish, by accessing the traffic website www.dgt.es.” (The underline is ours)

As proof of sending the email, please provide a screenshot of a computer application with the details of the email sent at 18:11:07 on 13/01/2022 from
no-reply@lineadirecta.es to the claimant's email address with the subject “Línea
Directa Aseguradora: DGT points consultation result”, message number (…).
(Documents 9 and 10 attached to the reply to the transfer)

SIXTH: LÍNEA DIRECTA states (reply to the transfer) that “the balance of the
points associated with the driving license can be obtained in two ways: (i)
through a certificate issued by the D.G.T. or (ii) through an online
balance query, that is, through the D.G.T. website.

Obtaining a certificate by the user implies that the user must pay fees

number 4.1, amounting to 8.67 euros, present proof of purchase of said fees, fill out forms, submit them in person or online with
confirmation, etc., which constitutes a very complex process. […].” “Given that the certificate system is not agile, and also implies that the individual must pay 8.67 euros, the
D.G.T. has implemented an online access system to the points balance,

through a process in which the interested party's NIF or NIE and the date of issue of the driving license are entered, as additional validation data.”

“As an additional security measure, to avoid indiscriminate use by third parties,
the D.G.T. includes the introduction […] of an email to obtain the balance at that time. […].” (The emphasis is ours)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/73

SEVENTH: The file contains the screenshots obtained on 03/15/2023 from the website sede.dgt.gob.es/es/permisos-de-conducir/consulta-

tus-puntos/, incorporated by means of a Diligence of the investigating body signed on 11/13/2024, which prove that on the date they were obtained, under the title “Points balance consultation”, five ways to access the points were reported: Key;
username and password; in person; telephone and myDGT App.
-Under the title “What should you know?” it states:

“You can check your current points balance as long as your license is in force. You can obtain information about your history of recovery and loss of your points, detailing the date, the points penalized or gained, always clarifying the possible types of infractions you incurred or the awareness courses you took.

If you need an official certificate of points for a third party, you can obtain it at
any Traffic Headquarters or Office by making an appointment or requesting it online. […].

-Under the title “Who can do it?”, it states:
“The interested person themselves, if the query is made online. If it is

made by another means, any person authorized on their behalf.
To authorize another person acting on your behalf,
you can designate a representative through our Registry of
powers of attorney.
They can also appear in person provided they have a document signed by

the interested person authorizing them to make the request, and stating
its free nature. To do this, download and fill out the DGT authorization form for granting representation.

If the procedure is to be carried out by another person on your behalf, when requesting the appointment at 060, the ID of the interested person must be indicated

and also that of the authorized person.”

-Under the title “What means do you have to consult your points?”, this

information is offered:
“1. Online, accessing with your certificate, Cl@ve system or with username and

password.”

(The emphasis in bold is from the DGT. The underline is ours)

EIGHTH: LÍNEA DIRECTA has alleged (in response to the transfer) that the processing of

the claimant's data was covered by circumstances a) and b) of article
6.1.RGPD. He stated:

-That, “taking into account the conversation, we believe that there is not only a tacit mandate to carry out the consultation, but also a consent derived from the conduct of the
complainant himself.” (Page 9 of the written response to the transfer)

-That, “although it does not imply non-compliance with regulations regarding data protection, it is considered that there has been a breach of the quality policy by the operator, with respect to being more explicit, or having insisted more on express authorization and consent to carry out the consultation with the DGT.” He adds that “the data processor has been informed that the operator has been sanctioned
for a very serious offence and that he will be removed from the service to Línea Directa” (Pages 14 and 15

of the transfer letter)

NINTH: LÍNEA DIRECTA has provided (response to the transfer, attached document 6) the
specific conditions of the automobile insurance policy subscribed by the claimant -
“policy no. ***REFERENCE.5- issued on 01/13/2022. In the section dedicated to the
“Premium” of the insurance it appears:

- “Annual Premium”: “Annual Total:... €530.79”.
- Below: “Campaign Discount:..- €265.39”.
- And then: “TOTAL TO PAY: … €265.40”.

TENTH: LINEA DIRECTA has alleged (allegations to the start agreement)

That “the MAJOREL employee who attended the complainant by telephone did not
request the certificate of his points, nor did he request consent to obtain it, thus
failing to comply with the instructions given by LINEA DIRECTA, and being therefore sanctioned for a labor violation.” (Emphasis added)

ELEVENTH: MAJOREL, in his response to the transfer:

1. Declares that: The employee who assisted the claimant in contracting the insurance
“does not request the express consent of the interested party in a strict manner, breaching
the internal regulations (orders and manuals) of the service established by our client

(LÍNEA DIRECTA) when consulting the driving license points at the
DGT, although at all times [the claimant] is informed and authorizes said consultation
in the call itself (on several occasions) and, in addition, receives in his email
an email from LÍNEA DIRECTA after consulting his license points (an automatic email sent from the Galgo system of LÍNEA DI-RECTA is generated).”

It has “taken disciplinary measures regarding the teleoperator specializing in the LINEA DIRECTA service who made the call to the claimant” “for failing to comply with orders,
instructions, procedures and operations of the service where he worked and which were
sufficiently known to the employee both in his initial training and in
successive refresher training.” (Emphasis added)

2. Provides: the “Annex to the Exclusive Agency Contract entered into between Línea Directa
Aseguradora S.A. and Majorel SP Solutions, S.A.U. dated April 14, 2021”, called
Annex 01/2022 of the Motor Sales Campaign”, dated 01/01/2022. This annex does
not include any mention of the “15-point campaign”.

TWELFTH: LÍNEA DIRECTA and MAJOREL have provided the exclusive insurance agency contract signed on 04/14/2021 as well as four annexes (Annex I, “Personal Data Protection”; Annex II, “Security requirements to be implemented
by the person in charge”; Annex III “Supplementary to the RGPD Annex. Indicators of the quality
plan”, and Annex IV, “Ethical Code”).

In addition, MAJOREL provided “Annex 01/2022 of the Motor Sales Campaign” (Proven Fact eleventh point 2)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/73

No further annexes have been provided to the Agency contract. The fourth provision of the
contract, “Products and coverage”, establishes that “The Agency will carry out the activity of
distribution and marketing of the LÍNEA DIRECTA insurance products that are

detailed in Annex I to this contract. The campaigns and marketing conditions of the various LÍNEA DIRECTA insurance
products will also be determined by an annex.” (Emphasis added)

THIRTEENTH: Having examined the content of the Agency contract and its Annexes, there is
no mention in them of a treatment that the person in charge must carry out on
behalf of the insurance company that deals with the data of the date of issue
of the driving license together with the NIF of the applicant for car insurance and whose
purpose is to obtain online, through the DGT website, information that the DGT keeps regarding the balance of points associated with the driving license of the applicant for car insurance, thereby verifying the accuracy of the information
supplied about his points by the insurance applicant, for the use of the data for the
purpose of applying a discount on the premium.

FOURTEENTH: Most relevant clauses of the Agency contract.

-First. “Object”. “The purpose of this Contract is the designation of the Agency by the Insurer as the exclusive agency and the regulation of the conditions under which the Agency will carry out the distribution and
marketing of the Insurer's insurance products in Spanish territory, and to this end, the
performance, where appropriate, of the activity of proposing or carrying out work prior to

the conclusion of insurance contracts, the conclusion of said contracts, as well as the
assistance in the management and execution of said DIRECT LINE insurance contracts, including in the event of a claim, under the terms provided for in this Contract.

The distribution activity to be carried out by the Agency will be carried out in relation to the
Insurer's insurance products specified in Annex I to this Contract.[…]”

-Third. “Sales channels”. “The Agency will market the LÍNEA DIRECTA insurance products specified in Annex 1, through its telephone platform by means of
the issuing and receiving of calls”

-Fourth: “Products and coverage”. “The Agency will carry out the distribution and
marketing activity of the LÍNEA DIRECTA insurance products detailed in

Annex I to this contract.

The campaigns and marketing conditions of the various LÍNEA DIRECTA insurance products will also be determined by an annex.

Additionally, the Agency may, where appropriate, offer a series of services that can be
combined with the products described in the previous point, and which will be
determined in the same annex. [...].

-Fifth: “Obligations of the parties” “5.1. Agency Obligations […]

b) The marketing and promotion of LINEA DIRECTA insurance products
described in Annex 1 of this Contract, in strict compliance with the instructions

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/73

received from the Insurer and adhering to the premium rates established by it
at any given time.

-Seventh: “Information and protection of customers. Distance marketing”.

“[…] Therefore, the Agency must identify itself as such in all calls and

comply with the remaining provisions for this purpose established under the referenced
regulations.

Likewise, the Agency declares its capacity to obtain the express and legally valid consent of the clients for the performance of the actions prior to
the contracting of the mediated insurance product in accordance with the provisions contained
in the RGPD and in the LOPDPGDD and included in the Complementary Annex RGPD

attached to this contract, in accordance with the instructions that LINEA DIRECTA indicates in this
regard.[…].” (The underline is ours)

-Twenty-first: “Notifications”. “All communication between the Parties regarding this
Contract must be made in writing, either by ordinary mail, fax or electronic
mail. Communications and/or notifications made by ordinary mail, fax or electronic

mail will be considered to have been duly delivered and received provided that their receipt is confirmed by the recipient or there is an acknowledgment of receipt in the case of a certified document and they have been sent to the
respective addresses of the Parties indicated below.

LINEA DIRECTA ASEGURADORA S.A. […] The Agency […] ***EMAIL.5”.

The “Agency” is the term with which the Agency contract refers to MAJOREL.

(Emphasis added)

FIFTEENTH: Annex I to the Agency contract, “Protection of Personal Data”.

It determines the categories of personal data and the data that MAJOREL must process,
but does not include any mention of the processing operation that has given rise to
the claim or the data on the date of issue of the driving license of the applicant for car insurance
or the points associated with the driving license of an applicant for car insurance.

The most relevant clauses of Annex I to the Agency contract are the following:

- 2: “Purpose of the processing order”. :

“2.1. By means of these conditions, the Data Processor is authorized
to process, on behalf of the Data Controller, the personal data necessary to provide the service subject to the Service Provision Contract signed between the Parties (hereinafter, the "Main Contract" or the "Contract").
This Main Contract contains the detailed description of the services provided.

2.2. The processing that the Data Processor will specifically carry out
will be only those strictly necessary to fulfill the purpose of the Main Contract. In accordance with the nature of such tasks, the Data Processor
may carry out the processing activities indicated below:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/73

x Collection
x Registration

x Structuring
□ Modification
x Conservation
x Extraction
x Consultation
□ Dissemination

x Interconnection
□ Comparison
□ Limitation
□ Deletion
□ Destruction

x Communication

2.3 The categories of personal data and personal data that the Data Processor must process for the execution of the obligations derived from the
fulfilment of the purpose of the Contract are the following:
o Customer data (name, surname, NIF, sex and telephone number).

o Data of potential clients (name, surname, NIF, sex and telephone number.

- 3, “Identification of the affected information”:

"3.1. The Data Processor will only have access to personal data,
referring to the following categories of interested parties:
- Data of clients (name, surname, NIF, sex and telephone number.).

- Data of potential clients (name, surname, NIF, sex and telephone number). “

- 5. “Obligations of the Data Processor”.
“The data processor and all its staff are obliged to:
[…]

5.2. Process data in accordance with the instructions of the data controller.”

SIXTEENTH: LÍNEA DIRECTA (response to the transfer) states that the seventh clause of the Agency contract incorporates “the need to obtain authorization
to carry out any activity such as” that which constitutes the object of the

claim and mentions in this regard the “reminders in this regard, as justified with the quality plans for external sales operators. It is provided as document number 3.

Document 3 provided consists of the Word transcription of part of the content of an email. On the far left is: “Motor_calidad”. “Sent
by Motor_calidad” “02/18/2020.17:12”. On the far right, the “To” and “cc” sections are blank. In the “cc” section, several email addresses are included, among them, the only one that belongs to the “majorel” domain is “***EMAIL.2”.
As “Subject”, “General sales guidelines operation”. Below is a text, without indicating its origin or the document from which it was extracted:

<<15 POINT CAMPAIGN:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/73

- Like any campaign, it can be applied if our price is higher or there is a complaint from the
customer.
- You must ask if it has the 15 points.

- You must request proof of the 15 points or ask the client for authorization to
make the online consultation.
>> it is considered a medium incidence.
>> in quotation and/or closing.>>

SEVENTEENTH: LÍNEA DIRECTA (allegations to the start agreement) states that

it has a commissioning contract with its annexes and that there were documented
instructions whose non-compliance generates penalties.

It provides a Certificate issued by MAJOREL in which it states that the
email sent on 02/18/2020 by LÍNEA DIRECTA to the address ***EMAIL.4 was
correctly received and that this email address was the one provided to LÍNEA

DIRECTA “as valid to receive information on campaigns such as “15 points” among others”.

He also states that the instructions he receives from LINEA DIRECTA are documented
in orders and manuals that are complemented by training sessions and provides the
“LDA Emission Engine Manual” (version 13/07/2021) that corresponds to the orders and

manuals in force in January 2022.

EIGHTEENTH: The document “LDA Emission Engine Manual” contains, among others,
these indications:

-The consultation of points requires consent and authorization to carry it out,
which will be valid for three months and will be carried over into any budget
made in that period of time. At the time of the consultation, the client will receive an

informative email with the result of the same.

-For clients who do not want the consultation to be carried out by LINEA DIRECTA, "the old campaign that we will see later may be used."

-The steps of the procedure to follow are detailed in general terms as follows:

1. Before consulting the DGT points, the quote must be completed to report the initial price and see if it is necessary to apply the campaign.

2. (…)

LEGAL BASIS

I
Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants to each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/73

LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines: "The procedures processed
by the Spanish Data Protection Agency shall be governed by the provisions of
Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."

II
Preliminary questions

1.On the processing operation carried out by LÍNEA DIRECTA and on the personal
data processed.

Pursuant to the provisions of Articles 4.1 and 4.2 of the GDPR, in the case at hand, it is clear that the respondent party has processed the complainant's data for the specific purpose of accessing the information on the points balance associated with his or her driving license held by the DGT and collecting and using this data to apply a discount to the price of the insurance premium.

Article 4.2 of the GDPR defines processing as "any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, such as collection, recording,

organization, structuring, storage, adaptation or modification, extraction,
consultation, use, communication by transmission, dissemination or any other form of
access provision, comparison or interconnection, limitation, deletion or destruction."

As indicated, the treatment carried out by LÍNEA DIRECTA on which this sanctioning procedure is based

had the specific purpose of allowing the entity in question to access the information on points associated with the applicant's insurance card,
information which is held by the DGT. This is clearly stated by the respondent in its response to the transfer of the SGID (Fourth Proven Fact) when it
says: “Taking out the policy, the price of which depends, among other things, on whether or not the 15 points are held, implies corroborating this information with the DGT”. (The emphasis is

ours)

The purpose of the processing carried out - for the insurer to access the information that the DGT has on the points of the insurance applicant and thus verify the accuracy of the information provided - is clear in light of the proven facts:

The MAJOREL employee collects from the claimant the data on the date of issue of his card and also uses for this specific purpose the data on his NIF, data that was already in the possession of the respondent as the interested party had previously provided it
in order to obtain information on the car insurance. The MAJOREL employee enters both data into the DGT website - with which he identifies himself to the computer system as if he were the claimant - and includes an ad hoc created email address, to which the data owner is not connected (that is, he does not know it, nor is he the owner, nor is he the user of that email). In this way, MAJOREL receives a message at the email address he provided to the DGT system with a code that allows him to access the information on the claimant's points balance. He then uses that data, in consideration of which he offers a reduction in the insurance premium.

The following documents in the file provide more information on the disputed processing operation.

The claimant stated that he had verified that MAJOREL used the email address

***EMAIL.1 linked to his NIF and the date of his driving license to receive
through the DGT website an access code to his points balance. He provided with his
claim (Proven Fact 2) a screenshot of the website www.dgt.es
corresponding to the page “Access code request” which states: “Step 2
of 2. Verification of personal data.” In a box, on the first line, the spaces for the name,
surname 1 and surname 2 appear filled in with the claimant’s data. On the bottom line, the spaces for the claimant’s “NIF
or NIE” and “Date of issue of the license or permit” are filled in. Next,
there is “E-mail” -followed by an asterisk informing that this information is
mandatory- and “E-mail verification”, and in both boxes the
e-mail address ***EMAIL.1.

LÍNEA DIRECTA, as document number 8 attached to its response to the transfer,
provided a “template” of the information that it sends by email to
applicants for automobile insurance after having consulted their points balance
through the DGT website using the NIF data and the date of issue of the
card to authenticate and obtain a code (Proven Fact 5). In the words of
LÍNEA DIRECTA, it is an “informative email of the consultation process followed
before the DGT” that “culminates” this “consultation model”.

The document represents further evidence that LINEA DIRECTA was the one who designed

the purposes and means of the processing operation - known as the
“15-point campaign”- about which the claim is based. The document in question
bears the anagram of the claimant and the following text:

“Dear {namegreeting}
We are contacting you, in accordance with the conversation

held, to inform you that we have made the points query to the
General Directorate of Traffic with your authorization and consent.
Our sole purpose is to be able to offer you the best price for your Insurance.
The current balance of points provided by the General Directorate of Traffic for
{full name} with DNI {NIF} is {points}

We inform you that we have automatically created a random, single-use
email address, which can be modified by you if you wish, by accessing the traffic website www.dgt.es.” (Emphasis added)

Article 4.1 of the GDPR defines personal data as “any information relating to

an identified or identifiable natural person (“data subject”);
an identifiable natural person is any person whose identity can be determined, directly or
indirectly, in particular by reference to an identifier such as a name,
an identification number, location data, an online identifier or to one or

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/73

various factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.”

For the purposes of the processing it carries out, LINEA DIRECTA collects from the interested party the data on the date of issue of their driving license and, in addition, uses the NIF data for a purpose other than that for which its holder had provided it - the application for insurance. With this data, it obtains a code that it receives at the electronic address that only it knows and with which it accesses the information that appears in the DGT records on the applicant's points balance for the insurance. It collects and uses this data.

In the processing operation carried out by LÍNEA DIRECTA, the personal data being processed are, in addition to the NIF, the date of issue of the applicant's driving license and the data on his/her points balance. The points balance may be any, since, even accepting as a hypothesis the statement that LÍNEA DIRECTA has made in its allegations to the proposal according to which only the "15 points" are considered for the purposes of applying a discount on the insurance price, the purpose of the consultation is precisely to find out how many points the driver has registered with the DGT.

At this point, the legal relevance of the processing operation to which we have been referring is highlighted, designed by LÍNEA DIRECTA in order to find out the claimant's points balance that was in the DGT systems. This relevance
is evident for the following reasons:

a) The relevance of the treatment operation analyzed is also evident in light
of the characteristics presented on the date of the events by the DGT website that the respondent used and that this General Directorate made available to citizens to consult the data on the balance of points that concerned them.

On March 15, 2023 - the date on which this Agency obtained various screenshots of the website www.dgt.es, which are included in the file - the aforementioned website
reported that the consultation of points could be done through these means: i.
“Cl@ve”, ii. “Username and password”, iii. “In person”, iv “Telephone” and v. “My DGT App”.

To the question “What do you need?” The website answers: “To check your points

you can access with your digital certificate, electronic DNI, your Cl@ve credentials or
by requesting a username and password.”

To the question “Who can do it?” the website answers: “The interested
person [this phrase is highlighted in bold on the website], if the

consultation is made online. If it is done by another means, another authorized
person can also do it on their behalf.” (The underline is ours)

And it goes on to say: “To authorize another person to act on your

representation, you can designate a representative through our

Registry of Powers of Attorney.” “You can also appear in person as long as you have
a document signed by the interested person authorizing you to make the
request, and where it states that it is free of charge. To do so, download the DGT
authorization form “Granting of representation.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/73

It can be inferred from the information provided on the DGT website that this Directorate-General, which is responsible for the custody of the points associated with the driving licence,

restricted the consultation of the balance of points through its website -remember that this could be done through a digital certificate, electronic DNI, Cl@ve credentials or requesting a username and password- to the physical person who
owns the points (it literally refers to “The interested party themselves” and highlights this mention in
bold).

And, what is more, it did not admit the possibility that the consultation through its website could be done by a third party other than the interested party acting on their behalf. In this regard, we would like to point out that the website warns that if the consultation is not done via
the Internet - it says literally, "if it is done via another means" - it can be done by a
third party on behalf of the interested party, duly authorized.

We reproduce this fragment of the response of the respondent party to the transfer
(sixth allegation of its letter, "Consultation of points in the DGT reported by Línea Directa
itself") regarding the consultation through the DGT website:

"It is necessary to start from the fact that the balance of the points associated with the
driving license can be obtained in two ways: (i) through a certificate issued
by the DGT or (ii) through an online balance consultation, that is, through
the DGT website.

Obtaining a certificate by the user implies that the user must pay

fees number 4.1, amounting to 8.67 euros, present proof of purchase of
said fees, fill out forms, present them in person or online with a
signature, etc., which constitutes a very complex process. Information screens are provided
regarding the aforementioned “certificate” taken from the
D.G.T. itself.

[…]
Since the certificate system is not agile, and also implies that the individual
must pay 8.67 euros, the D.G.T. has implemented an online access system to the
points balance, through a process in which the NIF or NIE of the interested party and the date of issue of the driving
license are entered, as additional validation data.

As an additional security measure, to avoid indiscriminate use by
third parties, the D.G.T. includes the introduction of a CAPTCHA and an email address to obtain the balance at that moment. This email address may be for one-time use, as the system allows you to change this email address with the next access. The process does not allow you to access more information than that strictly related to the points balance existing at that moment, so that no other operation with the Administration is accessible or possible, or any other information about the interested party.

Well, when the interested party has not generated their online access to their balance,
or for speed and convenience, who is not forced to have to
give their access data (since it is enough to change the email in the next access), or when it is not feasible to have a certificate of points balance, this

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/73

consultation model can be used, which ends with the sending to the interested party of an
informative email of the consultation process followed before the D.G.T.”
(Emphasis added)

b) The CJEU judgment of 22/06/2021, case C-439/19

The reasoning that leads the CJEU to conclude that “Article 10 of the GDPR must
be interpreted as applying to the processing of personal data

relating to points imposed on drivers for traffic offences” is as follows:

“(87)According to the case law of the Court of Justice, three criteria are relevant to
assess the criminal nature of an offence. The first of these is the legal classification of the infringement under domestic law, the second is the nature of the infringement itself, and the third is the severity of the penalty that may be imposed on the person concerned (see, to that effect, judgments of 5 June 2012, Bonda, C 489/10,
EU:C:2012:319, paragraph 37; of 20 March 2018, Garlsson Real Estate and Others,
C 537/16, EU:C:2018:193, paragraph 28; and of 2 February 2021, Consob, C 481/19,
EU:C:2021:84, paragraph 42).

(88) Even in the case of infringements which national law does not classify as
‘criminal’, such a character may nevertheless be derived from the very nature of the
infringement in question and the degree of severity of the sanctions which it may
entail (see, in this regard, judgment of 20 March 2018, Garlsson Real
Estate and Others, C 537/16, EU:C:2018:193, paragraphs 28 and 32).22/06/2021

(89) As regards the criterion relating to the very nature of the infringement, this involves
ascertaining whether the sanction in question has a specific repressive purpose,
without the mere fact that it also pursues a preventive purpose
being able to deprive it of the classification of a criminal sanction. Indeed, it is characteristic of

criminal sanctions to have as their object both the repression and the prevention of
unlawful conduct. However, a measure which merely repairs the damage caused by the infringement in question is not of a criminal nature (see, to that effect, judgments of 5 June 2012, Bonda, C 489/10, EU:C:2012:319, paragraph 39, and of 20 March 2018, Garlsson Real Estate and Others, C 537/16, EU:C:2018:193, paragraph 33). It is clear that the award of points for traffic offences,

like the fines or other sanctions which may be imposed for the commission of such offences, are not only intended to repair any damage caused by such offences, but also have a repressive purpose.

(90) As regards the criterion relating to the degree of severity of the penalties that may be imposed

for the commission of these offences, it should be noted, first of all, that only traffic offences of a certain severity give rise to

points and that, therefore, such offences may give rise to penalties of a certain severity. The imposition of points is then generally added to the penalty imposed
in the event of the commission of such an offence, as is, as has been pointed out in

paragraph 58 of this judgment, the case with the legislation at issue
in the main proceedings. Finally, the accumulation of such points in itself entails
legal consequences, such as the obligation to take an examination or even a
driving ban.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/73

(91) This analysis is corroborated by the case law of the European Court of Human Rights (ECtHR) according to which, despite the trend towards
decriminalisation of traffic offences in some States, these offences must generally be considered to be criminal in nature, given the
preventive and repressive purpose of the sanctions imposed and the degree of severity that these may reach (see, in this regard, ECtHR, 21 February 1984,
Öztürk v. Germany, EC:ECHR:1984:0221JUD000854479, §§ 49 to 53; 29 June 2007, O’Halloran and Francis v. United Kingdom). Kingdom, EC:ECHR:2007:0629JUD001580902, §§
33 to 36, and 4 October 2016, Rivard v. Switzerland,
EC:ECHR:2016:1004JUD002156312, §§ 23 and 24).

[…]
(93) It follows that traffic offences which may lead to the award of points fall within the concept of "offences" referred to in
Article 10 of the GDPR.
(94) In the light of all the foregoing considerations, the answer to the

first question referred is that Article 10 of the GDPR must be interpreted
as applying to the processing of personal data relating to points awarded to
drivers for traffic offences.”

It is highlighted that, as the respondent has stated in the allegations to the
initiation agreement, it has currently put an end to these treatments, although the cause
has not been the desire to comply with the data protection regulations but
as a consequence of the changes that the DGT has been introducing in its computer system
to guarantee the security of the data it keeps and to guarantee that the
access routes to the information are designed in such a way that they only
allow access by the interested parties themselves, which has resulted in the
factual impossibility of the respondent insurer to continue with the treatments
it had been carrying out. Thus, in its allegations to the initiation agreement it says:

“As a preliminary matter, it is necessary to indicate that this party no longer carries out the treatment

referred to in the agreement to initiate the sanctioning procedure, in particular
because the conditions of access to the information for consultation of the points have been
varying over time, as shown even in the verification carried out on
March 15, 2023 as set out on page 22 of the Initiation Agreement.

In any case, as of January 2022, consultation was possible in the terms
referred to in the information request EXP202202567 that was submitted at the time and that we
deem reproduced, provided that the interested party was informed and
his consent was requested, among other points that we will detail later,
all of them duly documented.”

2. Regarding the status of data controller of LÍNEA DIRECTA

2.1. Article 4.7 of the GDPR defines the controller as “the natural or legal person,
public authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing; if Union or Member State law

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/73

determines the purposes and means of the processing, the controller or the
specific criteria for its appointment may be established by Union or Member State law”.

LÍNEA DIRECTA is the data controller subject to this sanctioning procedure, as it is the party that has determined the
purposes and means of the processing operation. And therefore, MAJOREL was obliged, to the extent that it commissioned MAJOREL to carry out processing on its behalf, to comply with the obligations imposed by Article 28.3 of the GDPR.

MAJOREL has the status of data processor for LÍNEA DIRECTA in relation to the processing carried out. Article 4.8 of the GDPR defines “data processor” as “the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller”.

According to Royal Decree-Law 3/2020, of February 4, on urgent measures by which
various European Union Directives are incorporated into the Spanish legal system (hereinafter, RDL 3/2020), article 203.1.a) “Insurance agents and bank-insurance operators will have the status of data processors of the insurance entity with which they have entered into the corresponding agency contract, in the terms provided for in Title I.”

To be considered a data processor, it is necessary to meet two fundamental conditions: to be an entity independent of the data controller and to process personal data on behalf of the latter.

The data processor must process the data exclusively following the instructions of the controller. Even so, the instructions of the controller may leave a certain margin of discretion regarding how to best serve the interests of the latter, so as to allow the controller to choose the most appropriate technical and organizational means. However, if the data processor does not adhere to the instructions of the controller and begins to determine its own purposes and means of processing, it will be in breach of the GDPR. In these cases, the data processor will be considered responsible for said processing and may be sanctioned for not having adhered to the instructions of the controller.

2.2. LÍNEA DIRECTA in its allegations both to the initiation agreement and to the resolution proposal, in which it reiterates what it alleged in its previous letter and sets forth
again the content of the documents provided from which it is proven that it provided MAJOEREL with documented instructions on the processing operation, denies that it is the data controller and attributes this condition to MAJOREL.

In this regard, it invokes Article 28.10 of the GDPR – “Without prejudice to Articles 82, 83 and 84, if a data processor infringes this Regulation when determining the purposes and means of processing, it shall be deemed to be a controller with respect to that processing” – and the fact that the MAJOREL employee involved in contracting the complainant’s car insurance did not comply with the documented orders and instructions that the respondent had provided him. In particular, that he did not ask the complainant whether he agreed to have his points balance checked. LINEA DIRECTA has provided with its

allegations to the start agreement various documents that prove that there were
documented instructions regarding the fact that, in relation to the so-called 15 motor sales
points campaign, it was mandatory to ask the client for consent to
check their points balance and inform them that the query is made to the DGT.

However, contrary to the position of LINEA DIRECTA, the fact that the

MAJOREL employee who intervened in the contract had not complied with the
orders and instructions that the respondent provided, does not exempt him from his
responsibility in the treatment nor transfer the condition of responsible party to the
MAJOREL manager. The deviation from the purposes and means of the processing referred to in
Article 28.10 of the GDPR, which is the factual prerequisite for applying the
legal consequence contemplated by the regulation - the consideration of the person in charge as
the data controller - is connected with the purpose of the processing operation and with the
means provided: in this case, the consultation through the DGT website of the points
balance of an insurance applicant by obtaining a password, with the MAJOREL employee authenticating himself with the claimant's data (NIF and date of issue of his card) and providing an email address that the
interested party does not know, where he receives the access key to the information. There is no evidence
that MAJOREL, through its employee, had processed the claimant's data for a purpose other than that established by LÍNEA DIRECTA or through other means. Thus, the fact that the employee had not requested the complainant's
authorization for the consultation, as indicated, does not mean that the
data collected on behalf of LÍNEA DIRECTA is being treated for a purpose other than that
intended. This and nothing else is the correct meaning of article 28.10 of the GDPR, so that
the erroneous comments on the matter that have been included in the initial agreement
could not alter, however much one might want, the true meaning of the rule.

It is enlightening and also shows the error that LÍNEA DIRECTA makes in its
allegations to the proposal when it refers to section 118 of the text of the EDPB Guidelines 7/2020 that we reproduce:

<<100. Any processing of personal data by a processor must be governed by a
contract or other legal act under Union or Member State law concluded

between the controller and the processor, as set out in Article 28(3) GDPR.

101. This legal act must be in writing, with electronic form permitted.

Agreements not formalised in writing (regardless of their

exhaustiveness or effectiveness) cannot therefore be considered sufficient to meet the
requirements set out in Article 28 GDPR.

In order to avoid any difficulties in proving the effectiveness of the contract or other
legal act, the EDPB recommends ensuring that the necessary signatures have been included in the legal act in accordance with the applicable law (e.g.

contract law). C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/73

102. Furthermore, the contract or other legal act under Union or Member State law must bind the processor vis-à-vis the controller; that is, it must
impose binding obligations on the processor under Union or Member State law. It must also set out the obligations of the processor. In most cases, there will be a contract, but the Regulation also
refers to "another legal act", such as a national rule (primary or secondary law) or other legal instrument. If the legal act does not contain all the minimum required content, it must be supplemented by a contract or other legal act that
includes the missing elements.

103. Since the Regulation provides for a clear obligation to conclude a contract in writing, where there is no other relevant legal act in force, the absence of a contract will constitute a breach of the GDPR.42 In this regard, both the controller and the processor are responsible for ensuring that the processing is governed by a contract or other legal act. Under Article 83 of the GDPR, the competent supervisory authority may impose an administrative fine on the controller and the processor, taking into account the circumstances of each specific case. Contracts that were concluded prior to the date of entry into force of the GDPR must have been updated under Article 28(3).>>

In relation to the content of the contract or other legal act, it says:

<<111. Before focusing the presentation on each of the requirements established in the GDPR in relation to the content of the contract or other legal act, some general observations must be made.

112. Although the elements provided for in Article 28 of the Regulation constitute its
essential content, the contract must serve to enable the controller and the processor

to clarify, through detailed instructions, how these essential elements will be applied in practice. The
processing contract should therefore not merely reproduce the provisions of the GDPR, but should include more
specific and concrete information on how the requirements will be met and the degree of
security that will be required for the processing of the personal data subject to the
processing contract. Far from being a merely formal exercise, the negotiation and

stipulation of the terms of the contract serve to specify the details of the
processing.49 Indeed, the "protection of the rights and freedoms of data subjects, as well as the accountability of controllers and processors [...] require a clear attribution of responsibilities" under the
GDPR.

113. [...]

114. As regards the mandatory content of the contract or other legal act, the EDPB interprets Article 28(3) as requiring the inclusion

of the following:
 The subject matter of the processing (for example, recordings made by video surveillance systems of persons entering and leaving high-security
facilities).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/73

Although the subject matter of the processing is a broad concept, it must be formulated in a manner
that is sufficiently detailed to make clear what the main purpose of the processing is.
 The duration of the processing: the exact period of time or the
criteria used to determine it must be specified. For example, reference could be made to the

duration of the processing agreement.  The nature of the processing, i.e. the type of operations performed as part of the
processing (e.g. video recording, audio recording, image archiving, etc.); and the purpose of the
processing (e.g. detecting illegal entry). This description should be as comprehensive as possible,
according to the specific processing activity, so that parties outside the contract (e.g.

supervisory authorities) can understand the content and risks of the processing
entrusted to the processor.
 The type of personal data: this element should be specified in as much detail as possible (e.g. video images of persons entering and leaving
the premises). It would not be sufficient merely to indicate that these are "personal

data within the meaning of Article 4(1) of the GDPR" or "special categories of personal
data within the meaning of Article 4(1) of the GDPR" or "special categories of personal data"
by specifying at least the types of data concerned; for example, information about medical history or information about
the data subject's membership or non-membership of a trade union.
 The categories of data subjects: this should also be specified in a fair degree of
detail (e.g. visitors, employees, delivery services, etc.).

 The obligations and rights of the controller: the rights of the controller are
addressed in more detail in the following sections (e.g. the controller's right to carry out inspections and audits).

As regards the controller's obligations, examples include the obligation
to provide the processor with the data referred to in the contract; the obligation to
provide the processor with instructions regarding the processing of data and

to document them; the obligation to ensure, prior to and during processing, compliance
with the obligations imposed on the processor under the GDPR; and the obligation
to monitor processing, including carrying out audits and inspections of the
processor.

115. Although the GDPR stipulates the elements that must be included in the agreement in any case, depending on the context and risks of the processing, as well as any additional requirements that may apply, other relevant information may need to be included.
1.3.1 The processor shall process personal data only on documented instructions from the controller [Article 28(3)(a) GDPR] 1.3.1 The

processor shall process personal data only on documented instructions from the controller [Article 28(3)(a) GDPR]

116. The need to specify this obligation arises from the fact that the processor
processes data on behalf of the controller. Controllers must give instructions to

processors in relation to each processing activity. These instructions
may determine which personal data processing is considered permissible and
which is unacceptable, and include more detailed procedures, ways of protecting the
data, etc. The actions of the person in charge must comply with the instructions of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/73

controller, without overstepping their bounds. However, the person in charge may make suggestions
which, if accepted by the controller, become part of the instructions.

117. Where a processor processes data in a manner inconsistent with the controller's instructions and this amounts to a decision determining the purposes and means of processing, the processor shall be deemed to have breached its obligations and may even be considered a controller of such processing pursuant to Article 28(10) (see point 1.5 below53).>>

The EDPB refers to documented instructions as distinct from the minimum content of the contract:

<<118. Instructions provided by the controller should be documented. For this purpose, it is recommended that a procedure and a template for providing future instructions be included in an annex to the contract or other legal document. Alternatively, instructions may be given in any written form (e.g. by email) and in any other documentary form, provided that it is possible to keep a record of such instructions. In any case, in order to avoid difficulties when proving that the instructions of the data controller have been duly documented, the EDPB recommends keeping these instructions together with the contract or other legal document.>>

It follows, therefore, that contrary to what LÍNEA DIRECTA claims, it is LÍNEA DIRECTA and not MAJOREL that is responsible for the processing, since there is no reference in the contract provided as a contract for the processing of data, or in its annexes to the object of the order, its purpose, or the personal data processed (date of issue of the card and balance of points). The documented instructions on how MAJOREL must carry out its order are not the content that should have been included in the order document. It is a different issue and it is not disputed that there was a relationship between the controller and the processor, since what is required by the GDPR is that it is documented in a contract or binding legal act with the minimum content mentioned in article 28.3.

IV
Violation of article 6.1 of the GDPR

1. In this resolution, LÍNEA DIRECTA is held responsible for a violation of article 6.1 of the GDPR, which provides:

“1. The processing will only be lawful if at least one of the following conditions is met:

a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;
b) the processing is necessary for the execution of a contract in which the interested party is a party or for the application at the request of the latter of pre-contractual measures;
c) the processing is necessary for compliance with a legal obligation applicable to the

data controller; (d) processing is necessary to protect the vital interests of the data subject or of another
natural person;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/73

(e) processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued

by the controller or by a third party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the
data subject is a child.
The provisions of letter f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their functions.

[…]” (Emphasis added)

Any processing of personal data must be based on one of the grounds of lawfulness expressly established in article 6.1 of the GDPR.

The violation of article 6.1 of the GDPR attributed to the defendant insurer is materialised in the processing without an adequate legal basis of the data of the NIF and the date of issue of the driving licence of the claimant for the specific purpose of consulting the DGT website for its points balance and using this data to apply, in consideration of it, a reduction in the price of the insurance premium.

The processing operation carried out by the defendant is explained in the preceding Basis to which we refer.

The unlawful processing of the claimant's data for which LÍNEA

DIRECTA is responsible took place on 01/13/2022, the date on which a MAJOREL employee, in the
course of the telephone conversation held with the claimant about the car insurance policy in which he was interested,
asked him about the date of issue of his driving license without previously informing him of the
purpose for which he was collecting this data and used it, together with his NIF - now processed for a

purpose different from that for which it was collected from the claimant - to check his
points balance with the DGT.

In the Third Proven Fact of this resolution, the conversation held between the MAJOREL employee and the claimant is transcribed, and it can be verified that he requests the data on the date of issue of the driving license without

previously providing him with the information that is mandatory in accordance with article
13 of the GDPR, including the purpose of the processing and the retention period.

2. All processing of personal data must be based on one of the
lawful reasons expressly established in article 6.1 of the GDPR.

The positions of the respondent party regarding the
lawful basis of the processing carried out are examined below, as maintained in its writings of (i)
response to the transfer (ii) allegations to the initiation agreement and allegations to the resolution proposal.

(i) In the response to the transfer of the claim, LÍNEA DIRECTA claimed that the
processing was compliant with the GDPR and invoked two legal bases as grounds for its alleged
lawfulness: sections a) and b) of article 6.1 GDPR.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/73

(ii) In the allegations to the start agreement, it “admits” that the complainant did not
give consent to the processing of its data to check the balance of points
to the DGT but does not acknowledge its responsibility for the infringement of which it is
charged. The admission of lack of consent is linked in its allegations to the
Agency recognizing as responsible for the processing, and therefore also responsible
for the infringement of article 6.1 GDPR, MAJOREL, its data processor,
instead of that insurance company.

It bases such a claim on article 28.10 of the GDPR and on an erroneous consideration
that was incorporated into the agreement to initiate the procedure. Thus, LÍNEA DIRECTA says the
following:

“In any case, for the purposes of Línea Directa it is important to remember that, in accordance with

art. 28.10 GDPR, the party responsible for these breaches would be MAJOREL, and not Línea
Directa. This is concluded on page 19 of the Agreement to Initiate the Sanctioning Procedure when it is stated that “If it is true that MAJOREL, through its
employee, acted outside the instructions supposedly received from LÍNEA
DIRECTA, it would be, by virtue of article 28.10 of the GDPR, the party responsible for the
processing of the claimant's data on which this initiation agreement relates.” Hence

its allegations to the initiation agreement are focused on providing the documentation
that proves that it provided MAJOREL with documented instructions on the
processing.

Without prejudice to the fact that this issue is examined in detail in another Grounds of

this resolution, attention is drawn to the fact that in the written proposal for

resolution it was stressed on multiple occasions (Background Nine, last paragraph;
Legal Ground II, last paragraph; in Legal Ground III, point 4,
second and third paragraph) that this was an erroneous consideration contrary to the
meaning of the provision, so that the erroneous comments on the matter that were

included in the initiation agreement could not alter the true meaning of the
rule.

3. We therefore proceed to examine whether the processing that LÍNEA DIRECTA carried
out of the personal data of the complainant may be based on any of the
reasons of lawfulness established in article 6.1 RGPD.

It is reiterated what was stated in the initiation agreement and in the resolution proposal in the sense that the data processing designed by LÍNEA DIRECTA cannot be covered by any of the legal bases that were invoked (sections a and b of article 6.1 of the GDPR)

3.1.With regard to consent (article 6.1.a GDPR) as a possible legal basis, it should be noted, first of all, that the claimant has denied that he had given his consent to his personal data being processed for the purpose for which it was intended.

Thus, it is up to LÍNEA DIRECTA, by virtue of the principle of proactive responsibility
set forth in article 5.2 of the GDPR, to prove that the processing

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/73

was based on consent or on any other of the circumstances detailed in
article 6.1 of the GDPR.

The respondent then stated that the complainant's consent to
process her data for the purpose of making a query to the DGT was expressed
by a clear affirmative action which consisted of saying "okay" during the
telephone conversation to the employee's comment "just a moment while I make the
query."

Consent is defined in Article 4.11 of the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, agrees to the processing of personal data relating to him or her.”

Recital 32 of the GDPR states: “Consent must be given by a clear affirmative act evidencing a freely given, specific, informed and unambiguous indication of the data subject’s wishes to agree to the processing of personal data relating to him or her, such as a statement in writing, including by electronic means, or an oral statement. This could include […]any other
statement or conduct which clearly indicates in this context that the data subject

accepts the proposed processing of his or her personal data […]” (Emphasis added
ours)

Consent must be “informed” and recital 42 clarifies this point:
“For consent to be informed, the data subject must know

at least the identity of the controller and the purposes of the processing for which the personal data are intended” (Recital 42) (Emphasis added
ours)

The third proven fact of this resolution transcribes the telephone

conversation between the MAJOREL employee and the complainant, and it can be
verified that he requests the data on the date of issue of the driving licence without
previously providing him with the information that is required in accordance with article
13 of the GDPR, including the purpose of the processing and the retention period. Nor of the new purpose for which the data of your NIF would be processed: to identify you in order to obtain information about your points balance from the DGT website.

The respondent party is aware of the lack of information on the purpose of the processing provided to the complainant, which would vitiate consent if it had been given. So much so that it refers to the “explanatory email of having made the query” to the DGT website that was sent to the

complainant once the processing operation had finished and states: “This email
makes up for the lack of explicit information that may have been omitted by the operator.”

However, for consent to be valid, the information must be provided
before consent is given. It cannot be claimed that the information

necessary to form a valid consent is provided after it has been
granted.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 52/73

It is also not possible to admit that the consent to process the data for the purpose for which they were intended is implicit in the consent given to the contracting of the insurance, since they are two different processing operations, and the

consent to the contracting was subsequent in time to the consent that is invoked on the contrary as a basis of lawfulness.

This is clearly expressed in the “Guidelines 05/2020 on consent under Regulation 2016/679”, version 1.1. Adopted on 4 May 2020”:

“(90) In any case, consent must always be obtained before the
data controller begins to process the personal data for which consent is
required. WP29 has consistently held in its opinions that consent must be given prior to processing activity.
[…] this is clearly implied. The title of section 1 of article 6 and the text

“has given” in letter a) of section 1 of article 6 support this interpretation.
Logically, it follows from article 6 and recital 40 that there must be a
valid legal basis before initiating data processing.” (Emphasis added)

LÍNEA DIRECTA maintains in its response to the transfer of the complaint that “there was a
consent derived from the conduct of the complainant himself” and says that:

“[…] from the context of the conversation, it is clear that when the operator says “one
second while I make the enquiry (…) okay?” and the complainant answers “yes” or “of course”, it is
because the complainant was consenting and authorizing such a consultation, as is
evident from having been left on hold for more than two minutes, and that the complainant

waited patiently, and immediately afterward the operator resumed the conversation
reporting the points that have been taken “after consulting the DGT.” (The emphasis is
ours)

However, with the comment that the complainant makes - “okay” - what seems to

be his assent to what the employee of the manager MAJOREL previously makes: “one second
while I make the enquiry (…)”. He agrees to wait for the enquiry to be made, but without
identifying where the enquiry is intended to be made and what information. The complainant
does not unequivocally and informedly consent to his data being processed for the
purpose for which it has been intended, since the person who makes the enquiry does not inform of the
conditions under which the DGT website allows it to be made.

For the reasons set forth above, it cannot be considered that the consent of the complaining party is present as a legal basis for the
processing carried out.

Finally, what was said in the initiation agreement is reiterated regarding the considerations

that the respondent made in its response to the transfer, relating to the distinction between

"authorization" and "consent" and to the provisions of the Civil Code that it considered

applicable to the case, in which it sought to base the legality of the processing either on the
existence of a tacit mandate from the claimant in favor of the respondent to consult

the DGT database (ex article 1710 Civil Code) or on the subsequent ratification

of the business owner provided for in the quasi-contract for the management of another's business (ex
article 1892 Civil Code). It is again stressed that the applicable regulations are the
RGPD and the LOPDGDD and the circumstances that determine the lawfulness of the treatment,
which is the issue at hand, are exclusively those provided for in article 6.1

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/73

of the RGPD. If the civil provisions invoked are not connected with any of the
legal bases included in article 6.1 of the RGPD, the references to the precepts of the
Civil Code are irrelevant for the purposes at hand.

3.2. Section b) of article 6.1 of the RGPD, as a basis for legitimizing the treatment.
The respondent party alleged this circumstance in its response to the transfer of the
claim.

He then made, among others, the following statements:

-“[...]we are not faced with the need to consent to the processing of the balance of the points,
since the legal basis for the processing of this information, necessary for the
execution or conclusion of the contract, would be art. 6.1.b) RGPD, to the extent that
the pre-contractual measure that necessarily required such

processing was applied to the balance (discount campaign for the 15 points).” (Emphasis added)

-“In any case, it is not considered necessary to obtain consent for the
processing of points balance when this information is clearly necessary to
apply a discount for a specific campaign (art. 6.1.b) GDPR) -discount
applicable for having a points balance to the extent that this reflects being a good

driver-, but rather mere authorization (mandate or representation) to carry out the
consultation on behalf of the claimant, authorization that may be tacit, or that, even
if it does not exist, is remedied by its subsequent ratification (art. 1892 Cc).” (Emphasis added)

The reason for the lawfulness of section b) of article 6.1 of the GDPR states: “the treatment is
necessary for the execution of a contract in which the interested party is a party or for the
application at the request of the latter of pre-contractual measures”.

Article 6.1.b) of the GDPR refers to processing that is “necessary” for the

performance and execution of a contract or for the application of pre-contractual
measures and the term “necessity” has its own and independent meaning in Community law. The Court of Justice of the European Union
considers that it is an “autonomous concept of Community law” (ECJ of
16/12/2008, case C-524/2006, paragraph 52) and the European Court of Human Rights
states that the “adjective necessary is not synonymous with “indispensable” nor does it have

the flexibility of the expressions “admissible,” “ordinary,” “useful,” “reasonable” or
“desirable”” (paragraph 97 of the ECHR 25/03/1983)

We must state that in the present case the consultation of the claimant's points
balance carried out by the LÍNEA DIRECTA manager through the DGT website

was in no way necessary - in the sense that the term has in Community law - for the adoption of pre-contractual measures or for the
execution of the insurance contract which the claimant finally signed with that insurer.

The consultation was not necessary because, contrary to what is intended, the price of the
contract was fixed from the beginning and the MAJOREL employee informed the
claimant of this in the telephone conversation: <<Operator: “I have an initial price of
501 euros, OK, it is initial, do you have the 15 driving license points?”>>.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 54/73

Also in the particular conditions of the insurance policy subscribed by the
claimant, the price of the insurance premium and the price after applying the discount are separately
listed: In the particular conditions, in the section

referring to the “Premium” of the insurance, it states: “Annual premium” “Annual total...530.79€”.
Below, “Campaign discount...-265.39€”. And then: “To pay...265.40€”.

LÍNEA DIRECTA carried out two different processing operations with their
respective specific purposes: the contracting of the insurance policy, which
involves the processing of the data of the policyholder that are necessary for

a specific purpose: the execution of the contract or the adoption of pre-contractual
measures, on the one hand. This processing is covered by the legal basis of
article 6.1.b) of the GDPR. On the other hand, a data processing whose purpose is
to consult the interested party's points balance that appears in the DGT through its
website. Processing operation that is not necessary for the execution of the

contract or to apply pre-contractual measures and that is not covered by the grounds of

lawfulness of article 6.1.b)

4. Thesis invoked by the respondent party in its allegations to the initiation agreement and to the
resolution proposal regarding the infringement of article 6.1. RGPD for which it is
held responsible.

In both stages of allegations, the respondent has focused its arguments
exclusively on defending MAJOREL's status as the controller of the
data processing carried out and, consequently, of the infringement of article 6.1.
of the RGPD. Thesis that is based, as indicated above, on the

erroneous comment included in the initiation agreement on the scope that article 28.10 of the RGPD would have in this case.

While such an argument might be understandable in the context of its allegations to the initiation agreement, it is not understandable in the allegations to the resolution proposal. This, for two

reasons:

One, that the resolution proposal repeatedly stated (exactly on three
occasions) that the comment included in the initiation agreement regarding article
28.10 RGPD was contrary to the text of the provision and the meaning of the rule and included
the following paragraph:

The deviation of the purposes and means of the treatment referred to in article
28.10 of the RGPD, which is the factual prerequisite for applying the legal
consequence contemplated by the rule - the consideration of the person in charge as
responsible for the treatment - is connected with the purpose of the
treatment operation and with the means provided: in this case the consultation through the
DGT website of the points balance of an insurance applicant by
obtaining a password by authenticating the MAJOREL employee with
the claimant's data (NIF and date of issue of his card) and providing
an email address that the interested party does not know where he receives

the access key to the information. There is no evidence that MAJOREL, through its
employee, had processed the claimant's data for a purpose other than that
established by LÍNEA DIRECTA or through other means. Thus,
the fact that the employee had not requested consent for

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 55/73

the consultation, as LÍNEA DIRECTA claims that it had been indicated, does
not mean that the data collected on behalf of LÍNEA DIRECTA
have been processed for a purpose other than that intended. This and no other is the correct
meaning of article 28.10 of the GDPR, so the erroneous comments on the
matter that have been included in the start agreement could not alter, no matter how much
one wanted, the true meaning of the rule.

Another, because LINEA DIRECTA has based its position, focused exclusively on
defending that the data controller was MAJOREL and not it, on those

fragments of the start agreement that allowed it to maintain that position and has
interestedly ignored those statements of the start agreement that were not in
consonance with the aforementioned comment. We reproduce the following fragments of the
start agreement, Basis III, Preliminary Considerations, in which it was said:

“Article 28 of the GDPR establishes in point 3 that the treatment carried out
by the person in charge will be governed by a contract or other legal act in accordance with the
law of the Union or of the Member States that binds the person in charge with respect to the
controller and establishes the object, duration, nature and purpose of the
treatment, the type of personal data and categories of interested parties, and the
obligations and rights of the controller, and that includes the stipulations to which

letters a) to g) of the aforementioned provision refer. In particular, section a) of article 28.3 of the GDPR states that the person in charge will process personal data only following documented instructions from the person in charge.
[…]

It should be remembered that it was this insurance company that defined the purposes and means of the processing, which is why the “15 points” campaign is of interest here. An example is the pre-designed document that was sent to the claimant by email, and which, according to the information provided by the respondent party, is sent to applicants for a car insurance policy after they have checked their points balance through the DGT website. This document, which bears the name and logo of LÍNEA DIRECTA, of which the respondent party provides a copy - number 8 of the annexes to its response letter -

states that”.

And later, in another Reason, it indicates:

“Thus, we can affirm that the Agency contract signed between

LÍNEA DIRECTA and MAJOREL - in which, by requirement of article 203.2 of

RDL 3/2020, all the details relating to the processing order referred to in article 28.3. of the RGPD must be included - is missing a reference to the

processing operation (of its object, purpose, nature and data processed)

which consists of consulting the balance of points of the applicant for car insurance
through the DGT website. On the other hand, no documents have been
provided attached to the Agency contract containing the
indications that article 28.3 of the RGPD requires the controller to provide to his

supervisor about the processing operation entrusted to him.”

It should be noted that LINEA DIRECTA has always been perfectly aware that it, and not MAJOREL, is the one who set the purposes and means of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 56/73

processing and, consequently, who is responsible for the

processing. So much so that in its allegations to the start agreement it has fully accredited
the instructions that it gave to MAJOREL regarding the processing of

the data of the NIF, date of issue of the driving license and balance of points with a
specific purpose, the consultation of the balance of points through the DGT website. And in
its allegations to the proposed resolution it has done nothing but reiterate these
considerations on the evidence provided with its written allegations to the
start agreement. Documents that do nothing but show who has always been the
responsible for the processing. We cannot forget, either, that LÍNEA DIRECTA has

insistently invoked the training in data protection of the personnel employed by its data processor, so it can be assumed that
this insurer is also aware of the meaning, scope and conditions of the processing order referred to in articles 203.1 and 203.2 of RDL 3/2020.

5. Regarding the reference that the resolution proposal made to the ECJ of 22/06/2021,
case C-439/2019.

It is essential to remember, given the allegations of the respondent party regarding the alleged extensive application of a sanctioning rule by the Agency, that the resolution proposal clearly indicated the

accreditation of the violation of article 6.1 RGPD for which the respondent entity was held responsible and that such violation was absolutely independent of the
effects that could arise from the possible application that could be made of the aforementioned CJEU. This is because the resolution proposal, after having established the
violation of article 6.1.RGPD by the respondent and having set out the

grounds for the infringement, additionally added: that even if the client had
given consent - something that, as stated in the resolution proposal, the respondent had
not proven - such consent "could not compensate for the lack of
authorization for the processing that LÍNEA DIRECTA has derived from the
provision of article 10 of the LOPDGDD that is applicable to the points of the
driving license by virtue of the ECJ of 22/06/2021, case C-439/2019."

It is thus clarified that at no time was the infringement of article 6.1. RGPD, which
was established in the resolution proposal, linked in that procedure to the aforementioned
ECJ.

In view of the above, we consider it proven that the processing of the complainant's personal data by LÍNEA
DIRECTA for the stated purpose was not covered by any of the legal bases provided for in article 6.1 of the
RGPD.

V
Classification of the infringement of article 6.1 of the GDPR and limitation period

The infringement of article 6.1 of the GDPR for which the respondent party is held responsible in this resolution, specified in the treatment it has carried out of the

claimant's data for the specific purpose of accessing the information on his/her points balance held by the DGT and using the data thus obtained, is classified in article 83.5.a) of the GDPR, a provision that establishes:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 57/73

“Infringements of the following provisions shall be sanctioned, in accordance
with section 2, with administrative fines of a maximum of 20,000000EUR
or, in the case of a company, an amount equivalent to 4% maximum

of the total annual global turnover of the previous financial year,
choosing the highest amount:
a) the basic principles for processing, including the conditions for consent pursuant to articles 5, 6, 7 and 9;
[...]”

For the sole purpose of determining the limitation period for the infringement, the
LOPDGDD classifies it as very serious. In its article 72, “Infringements considered very
serious", it states:

“1. In accordance with the provisions of article 83.5 of Regulation (EU)

2016/679, infringements that constitute a substantial violation of the articles
mentioned therein and, in particular, the following are considered very serious and will be subject to a three-year limitation period:

[...]
b) The processing of personal data without any of the conditions for the lawfulness of the processing established in article 6 of

Regulation (EU) 2016/679 being met.”

VI
Infringement of Article 28 of the GDPR

1. In this resolution, LÍNEA DIRECTA is accused of infringing Article 28 of the
GDPR - in particular its paragraphs 3 and 9 - a provision which states:

“1. When processing is to be carried out on behalf of a controller, the controller shall only select a processor who offers sufficient guarantees

to implement appropriate technical and organisational measures so that the processing complies with the requirements of this Regulation and guarantees the
protection of the rights of the data subject.
2. […]
3. Processing by the processor shall be governed by a contract or other legal act under
Union or Member State law, which binds the processor

with respect to the controller and establishes the object, duration, nature and
purpose of the processing, the type of personal data and categories of data subjects, and the
obligations and rights of the controller. Such contract or legal act shall stipulate,
in particular, that the processor:
a) shall process the personal data only on documented instructions from the

controller, including with respect to transfers of personal data to a third country or an

international organisation, unless required to do so by Union or Member State law to which the
processor is subject; in such case, the processor shall inform the controller of that legal requirement
prior to processing, unless such law prohibits such processing for important reasons of

public interest;
b) shall ensure that persons authorised to process personal data have
undertaken confidentiality or are subject to a statutory obligation of
confidentiality;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 58/73

c) shall take all necessary measures in accordance with Article 32;
(d) comply with the conditions set out in paragraphs 2 and 4 for using another
processor;

(e) assist the controller, taking into account the nature of the processing, by
appropriate technical and organisational measures, where possible, to
enable the controller to comply with its obligation to respond to requests
concerning the exercise of the rights of data subjects set out in Chapter III;
(f) assist the controller in ensuring compliance with the obligations
set out in Articles 32 to 36, taking into account the nature of the processing

and the information available to the processor;
(g) at the controller's choice, erase or return all personal data
after the provision of the processing services has been completed, and erase existing copies
unless retention of the personal data is required by Union or Member State law;

(h) make available to the controller all information necessary to demonstrate
compliance with the obligations set out in this Article, as well as
to enable and contribute to the performance of audits, including inspections, by
the controller or another auditor authorised by the controller.
With regard to point (h) of the first subparagraph, the processor shall
immediately inform the controller if, in the processor's opinion, an instruction infringes this

Regulation or other Union or Member State data protection provisions.
4.[…]
5.[…].
6.Without prejudice to the conclusion of an

individual contract between the controller and the processor, the contract or other legal act referred to in
paragraphs 3 and 4 of this Article may be based, in whole or in part, on the
standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including
where they form part of a certification granted to the controller or processor in
pursuant to Articles 42 and 43.

7.[…].
8.[...]
9.The contract or other legal act referred to in paragraphs 3 and 4 shall be in
writing, including in electronic form.
10. Without prejudice to Articles 82, 83 and 84, where a processor infringes this Regulation when determining the purposes and means of

processing, he shall be deemed to be a controller with respect to that

processing.”
(Emphasis added)

Article 28 GDPR provides in paragraph 3 that the processing

must be governed by a contract or other legal act which binds the processor to the
controller and sets out the subject matter, duration, nature and purpose of the
processing, the type of personal data and categories of data subjects, and the
obligations and rights of the controller. It adds that such contract or legal act shall
in particular (paragraph a) stipulate that the processor shall process the
data “only on documented instructions from the controller.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 59/73

In addition, point 9 of article 28 of the GDPR requires that “The contract or other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic format.”

(Emphasis added)

The insurance sector regulation, RDL 3/2020, affects some of these
extremes. Thus, in its article 203.2, referring to the insurance agents regulated
in section 1 letter a) of that same article, it establishes:

“In the case provided for in letter a) of section 1, the agency contract
must include the details provided for in article 28.3 of Regulation
(EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016.”

And article 204.2 of the same Royal Decree-Law states: “Insurance agents […] may only

process the data of interested parties under the terms and with the scope that arise from the
insurance agency contract and always in the name and on behalf of the
insurance company with which they have entered into the contract.”

2. Both LÍNEA DIRECTA and MAJOREL have provided the AEPD in their response to the
transfer, as a contract that documents the assignment between them, the
exclusive insurance agency contract that they signed on 04/14/2021, a contract that replaced the
previous one, signed in 2010.

They have also provided the same annexes to the Agency contract: Annex I, “Protection of Personal Data”, Annex II, “Security requirements to be implemented

by the person in charge”, Annex III “Complementary to the RGPD Annex. Indicators of the quality plan”, and Annex IV, “Code of Ethics”.

In addition, MAJOREL has sent “Annex 01/2022 of the Motor Sales Campaign”, dated
01/01/2022, which, according to it, “details the “motor sales” campaign

relating to the facts reflected by the claimant”.

The examination of the clauses of the Agency contract shows that there is no allusion or citation, direct or indirect, to the treatment in question, nor to the
purpose of this treatment operation, nor to the data subject to treatment: the date of issue of the
driving license; the points balance and the NIF with this new

purpose.

For the sake of clarity, even at the risk of being repetitive, some of the stipulations of the contract for the processing of data provided are transcribed, which corroborate
the preceding statement:

-First, “Object”. “The purpose of this Contract is the designation of the Agency by the Insurer as the exclusive agency and the regulation of the
conditions under which the Agency will carry out the distribution and
marketing of the Insurer's insurance products in Spanish territory, and to this end, the

performance, where appropriate, of the activity of proposing or carrying out work prior to
the conclusion of insurance contracts, the conclusion of said contracts, as well as the
assistance in the management and execution of said LINEA DIRECTA insurance
contracts, including in the event of a claim, under the terms provided in this Contract.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 60/73

The distribution activity to be carried out by the Agency will be carried out in relation to the
insurance products of the Insurer specified in Annex I to this
Contract.[…]”

- Third: “Sales channels”. “The Agency will market the LINEA DIRECTA

insurances specified in Annex 1, through its telephone platform by
making and receiving calls”

- Fourth: “Products and coverage”. “The Agency will carry out the distribution and
marketing activity of the LINEA DIRECTA insurance products detailed in
Annex I to this contract.

The campaigns and marketing conditions of the various LINEA DIRECTA insurance

products will also be determined by an annex.

Additionally, the Agency may, where appropriate, offer a series of services that can be
combined with the products described in the previous point, and which will be
determined in the same annex. [...].

- Fifth: “Obligations of the parties”: “5.1. Obligations of the Agency [...]

b) The marketing and promotion of LINEA DIRECTA insurance products

described in Annex 1 of this Contract, in strict compliance with the instructions
received from the Insurer and adhering to the premium rates that it establishes
at any time.

-Seventh: Information and protection of distance marketing customers”

“In addition to the general obligations regarding information referred to in
previous clauses, when carrying out distance marketing, the Agency

is obliged prior to the conclusion of the products subject to intermediation under
this Contract, to comply with the prior obligations required in
specific regulations and specifically in the LSSICE and in the LCD in all that is applicable to it.

Therefore, the Agency must identify itself as such in all calls and comply
with the remaining provisions for this purpose established under the referenced
regulations.

Likewise, the Agency declares its capacity to obtain the express and legally valid consent of the clients for the performance of the actions prior to
the contracting of the mediated insurance product in accordance with the provisions contained
in the RGPD and in the LOPDPGDD and included in the Complementary Annex RGPD
attached to this contract, in accordance with the instructions that LINEA DIRECTA indicates in this
regard.[…].” (The emphasis is ours)

In Annex I to the Agency contract, “on Personal Data Protection”, there is also
missing any reference to the processing operation that has given rise to the
claim, to the data on the date of issue of the driving license of the applicant for
the car insurance and to the points associated with the driving license.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 61/73

Moreover, the aforementioned Annex I does not even include the list of the insurance products of LINEA DIRECTA for which the processor MAJOREL will develop the distribution and marketing activity, despite the express reference to Annex I that is made in the first clause, second paragraph; third; fourth and fifth, section 5.1.b) of the Agency contract.

Regarding the content of Annex I, for reasons of procedural economy, we refer
to the following stipulations of this Annex I - "Personal Data Protection" -:
clauses 2, "Object of the processing order"; 3, "Identification of the affected

information" and 5, "Obligations of the Data Processor" that are
transcribed in the Fifteenth Proven Fact.

It therefore appears that the documentation provided for the procedure (the Agency contract and the Annexes that comprise it) does not contain any reference to a processing operation whose purpose is to consult the balance of points associated with the driving license of the applicant for motor vehicle insurance through the DGT website and to collect and use this data.

Not even Annex I to the Agency contract - "Protection of Personal Data" - which details the categories of personal data and which data the data processor MAJOREL must process, makes reference to the data on the date of issue of the driving license or the balance of points.

3. Guidelines 7/2020 on the concepts of controller and processor in the GDPR, version 2.0, adopted on 07/07/2021 by the

European Data Protection Board (EDPB), indicate that “any processing of
personal data by a processor must be governed by a contract or other legal act
under Union or Member State law concluded between the controller and the processor, as stipulated in Article 28, paragraph 3, of the
GDPR”.They add:

“This legal act must be in writing, with electronic form permitted. Therefore, agreements not formalised in writing (regardless of their
exhaustiveness or effectiveness) cannot be considered sufficient for compliance with the
requirements set out in Article 28 of the GDPR.” They also say that, “In order
to avoid any difficulties in proving the effectiveness of the contract or other legal
act, the EDPB recommends ensuring that the necessary signatures have been included in the legal act in accordance with the provisions of the applicable law (e.g.
contract law).” (Emphasis added)

They also indicate (section 103) that “A written contract under Article 28,

paragraph 3, of the GDPR may be integrated into a broader contract, such as a
service level agreement. In order to facilitate proof of compliance with the
GDPR, the EDPB recommends that the elements of the contract with which Article 28 of the
GDPR is intended to be applied should be clearly identified in one place (e.g. in an
annex).

As regards the content of the contract or legal act for the commissioning of processing,
the Guidelines state the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 62/73

-Section 112: “the contract should serve to clarify,
through detailed instructions, between the controller and the processor, how these fundamental elements will be applied in practice.
The processing contract should therefore not be limited to reproducing the

provisions of the GDPR, but should include more specific and concrete information on how the requirements will be met and the degree of processing.
[…]”.

-Paragraph 114: “As regards the mandatory content of the contract or other legal act, the EDPB interprets Article 28(3) as prescribing the

inclusion of the following:

 The subject matter of the processing […] Although the subject matter of the processing is a
broad concept, it must be formulated in sufficient detail to make it
clear what the main purpose of the processing is.

 The duration of the processing: the exact period of time or the
criteria used to determine it must be specified. For example, reference could be made to the
duration of the processing agreement.
 The nature of the processing, i.e. the type of operations
performed as part of the processing (e.g. video recording, sound recording,
image archiving, etc.); and the purpose of the processing (e.g. detecting
illegal entry). This description must be as exhaustive as possible, depending on the specific processing activity, so that parties outside the contract (for example, supervisory authorities) can understand the content and risks of the processing entrusted to the processor.

 The type of personal data: this element must be specified in as much detail as possible (for example, video images of people entering and leaving the premises).

(Emphasis added)

4. In the response to the transfer, the respondent failed to mention the omission of the contract for the processing of data, which lacks the content that must be included.

In the allegations to the start agreement, the respondent does not allege anything to refute the
breach of the obligation of article 28 of the GDPR that is imputed to it, derived from

having omitted in the document provided as a contract for the commissioning of treatment the
mandatory content referred to in article 28.3 in its first paragraph.

All the arguments that it puts forward and the documents that it provides in the process of
allegations to the start agreement are related to the indications to which

the person in charge had to adjust his actions, thereby completing the documentation
provided with the response to the transfer.

The documents submitted with the allegations to the start agreement consist of
screenshots that prove that the respondent has a computer application

in which the instructions given to the managers and their employees are recorded and that allows access to the history of these instructions, to the point that
it has been able to access the electronic message sent on 02/18/2020, at 5:12 p.m., with

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 63/73

a copy, among others, to the address of the domain “majorel” ***EMAIL.2 referring to the
“General sales guidelines operation”.

In the allegations to the resolution proposal, LÍNEA DIRECTA reiterates what was stated
in its previous allegations and explains again the content of the documentation
provided that proves the existence of documented instructions.

The Court disputes that the proposal mentioned the lack of a document that
contains the content of article 28.3 that is incorporated into a contract or act

that is legally binding, since it claims that the documented instructions that it
provides are. It considers that the denied evidence, regarding the sanction imposed on the employee
who failed to comply with MAJOREL's instructions, has prevented this fact from being proven.

However, the contract for the processing of data was provided by the entity together

with its annexes. To which it is added that in the aforementioned document it was indicated that
any modification would be communicated to a specific email address to be considered as such. However, in the contract for the processing of data there is no
mention of the minimum content required. On the other hand, as it is clear from the
considerations of the EDPB Guidelines 7/2020, the instructions, referred to in article 28.3 in letter a) are not the same as the object, duration,

nature, purpose and type of data.

In short, the Agency contract included in the file, provided as a
treatment order contract between LÍNEA DIRECTA and MAJOREL, does not include
any of the indications that constitute its mandatory content, to which article 28.3 of the RGPD

refers.

4. In addition to the mandatory content of the treatment order mentioned in
article 28.3, in its first paragraph, section a) of this provision indicates that
it is mandatory that it is stated in the contract that the person in charge will treat the data

“solely” following the documented instructions of the person in charge.

It is emphasized that the contract of assignment does incorporate in its content this obligation of the
manager: We refer to stipulation 5.1.b) of the Agency contract and to Annex I,
clause 5.

However, the fact that the obligation to process the data following the
documented instructions of the controller is included, is not an obstacle to assessing a
breach of the obligation imposed by article 28.3 RGPD, since the
“mandatory content” is missing, as described in Guidelines 7/2020 in section 114.

The documented instructions referred to in section a) do not coincide with
the mandatory content of the contract of assignment as can be seen from that section
of the aforementioned Guidelines.

In its response to the transfer, LÍNEA DIRECTA focused its arguments on stating that

there were indications of how its manager should carry out the processing of the data. In this regard, he mentioned the quality plans and, as proof of their existence, he limited himself to
providing (document 3 attached) a Word document in which part of an email was transcribed: in “cc” there were several email addresses, among

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 64/73

which belonged to the “majorel” domain, ***EMAIL.2,. As “Subject” “Operational
general sales guidelines”. It included this information: <<15 POINT CAMPAIGN:
- Like any campaign, it can be applied if our price is higher or there is a complaint

from the client.
- You must ask if you have the 15 points.
- You must request proof of the 15 points or ask the client for authorization to
make the online consultation.
>> it is considered a medium incidence.
>> in quotation and/or closing.>>

The opening agreement considered that the aforementioned document - given its characteristics and
the partial transcription of an electronic message with information whose origin was
unknown- did not prove, contrary to what was alleged by the defendant, that
it had provided the documented instructions to which, in accordance with

section a) of article 28.3, the person in charge had to adjust his actions; independent
of what constitutes the mandatory minimum content of the contract of assignment that must
be recorded in writing in an act or contract binding on the parties.

Therefore, the opening agreement indicated:

“Thus, we can affirm that the Agency contract signed between LÍNEA
DIRECTA and MAJOREL - in which, by imperative of article 203.2 of RDL 3/2020
all the details relating to the treatment assignment referred to in article 28.3
must be included - is missing. of the GDPR - a reference to the processing operation (its object, purpose, nature and data processed) which consists of consulting the balance of points of the applicant for car insurance through the DGT website.
Furthermore, no documents have been provided attached to the Agency contract containing the information that article 28.3 of the GDPR requires the controller to provide to its manager regarding the processing operation that it entrusts to him.

In this regard, it is worth mentioning SAN DE 07/03/02024, Rec. 2282/2021, ECLI: ES:
AN:2024:1076. In the administrative appeal filed by VODAFONE
against the AEPD's sanctioning resolution, it argued in its defense that the person responsible
for the processing was not it but the entity Cablanol, S.L., with whom the entity V, S.L.,
had subcontracted the processing order agreed with Vodafone for the

marketing of its services for micro-enterprises.

“It is clear that the appellant company signed an agency contract,
among other agents, with the entity Vesaleads, S.L., […] for the marketing of
services offered by Vodafone for micro-enterprises. And said company Vesaleads,

S.L., in turn, subcontracted the entity Cablanol, S.L. to carry out, as
Vesaleads' sub-agent, said promotion and marketing.
It is noted that in the case at hand, Cablanol, S.L., sent the
commercial communications that give rise to the present dispute to the
professional email address […] managed by the complainant.

FOURTH.- Secondly, the plaintiff claims that Clabanol, S.L., acted
at all times as data controller and service provider
independent of the plaintiff.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 65/73

It is pointed out that Cablanol, S.L. acted, in all respects, as the data controller
by sending the communications to the claimant, determining on its own account the
purposes and means of said personal data processing activity, directly

contravening the terms of the contractual relationship that linked it to Vodafone.
[…]
It is added that the plaintiff cannot be held responsible for the sending of the
disputed communications by Cablanol. S.L. […]
As a subsidiary matter, it is argued that even if it is understood that there is a relationship
of data processing, Cablanol S.L. acted outside the scope of the

contracted relationship, becoming the data controller by virtue of art.

28.10 of the GDPR.

Thus, as we have previously stated, the entity Cablanol, S.L. is an entity subcontracted by the company Vesaleads, S.L. (belonging to the Solivesa Group), with which the plaintiff signed a contract for the marketing and promotion of services that this operator provides in the micro-enterprise segment.
[…]
On the other hand, art. 33.2 of the LOPDGDD establishes; "The data controller and not the processor will be considered to be the person who, on his own behalf and without

it being clear that he is acting on behalf of another, establishes relations with the affected parties even if there is a contract or legal act with the content set out in article 28.3 of
Regulation (EU) 2016/679 .
[…]
For its part, art. 28.3 of the GDPR specifies the following: "the processing by the

processor shall be governed by a contract or other legal act in accordance with the law of the

Union or of the Member States, which binds the processor with respect to the controller and
establishes the object, duration, nature and purpose of the processing, the type of
personal data and categories of interested parties, and the obligations and rights of the
controller".

Thus, in the contract of October 1, 2019 signed between the plaintiff and
Vesaleads SL, it establishes:[…]

Therefore, in accordance with the aforementioned According to art. 28.10 of the GDPR, Cablanol S.L. could be considered the data controller if it had acted "(...) outside or

contrary to the legal instructions of the controller(...)". On the contrary, it has been
proven that Cablanol S.L. sent several advertising emails referring
to certain offers from the operator VODAFONE, with advertising phrases such
as: "UPDATE YOUR COMPANY'S COMMUNICATIONS WITH
VODAFONE" or "(...) Come to VODAFONE. Now your lines and switchboard with
great discounts (...)", Therefore, Cablanol S.L. sent the advertising emails in
accordance with the guidelines mandated by the operator Vodafone,
establishing relations with the recipients of the emails, by order of the operator and
promoting its services. Therefore, it is
proven that the operator ultimately responsible for the events that occurred is

Vodafone.”

VII

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 66/73

Classification of the infringement of article 28.3. of the GDPR and limitation period

Failure to comply with the obligation imposed by Article 28.3 and 9 of the GDPR that is

attributed to LÍNEA DIRECTA in this resolution, relating to the content of the contract for the
processing of data and the requirement that it be in writing, entails an
infringement classified in Article 83.4 of the GDPR, which provides:

“Infringements of the following provisions shall be sanctioned, in accordance with
paragraph 2, with administrative fines of a maximum of EUR 10,000,000 or,

in the case of a company, an amount equivalent to a maximum of 2% of the
total global annual turnover of the previous financial year, whichever is greater:
a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to
39, 42 and 43; […]”

For the sole purpose of determining the limitation period for the infringement of Article 28 of the GDPR for which the respondent party is liable, Article 73 of the LOPDGDD, “Infringements considered serious”, provides:

“In accordance with the provisions of Article 83.4 of Regulation (EU) 2016/679, infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, the
following are considered serious and will be subject to a two-year limitation period:

[…]
k) Entrusting the processing of data to a third party without the prior formalization of a

contract or other written legal act with the content required by Article 28.3 of
Regulation (EU) 2016/679.”

VIII
Sanctions imposed

In light of the facts set out, it is considered that the respondent party should be sanctioned for the violation of Articles 6.1 of the GDPR, an infringement classified in Article 83.5.a), and Article 28 of the GDPR, an infringement classified in Article 83.4 of the GDPR. The sanction to be imposed is an administrative fine.

The corrective powers attributed to the AEPD as a supervisory authority are listed in Article 58.2 of the GDPR, paragraphs a) to j). Among them, in letter i) the provision
mentions the power of the supervisory authority to sanction with an administrative fine in accordance with Article 83 of the GDPR.

Article 83 of the GDPR, “General conditions for the imposition of administrative fines”, states in its section 1 that the supervisory authority shall ensure that the imposition of fines for infringements of this Regulation referred to in sections 4, 5 and 6 comply in each individual case with the principles of effectiveness, proportionality and deterrence.

The principle of proportionality refers to the adequacy of the sanction to the seriousness of the infringement, prohibiting unnecessary or excessive measures, so that the sanction is suitable for achieving the purposes that justify it. Article 83.2. of the GDPR

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 67/73

offers the technique to follow to achieve this correlation between the seriousness of the infringement
committed and the sanction: a list of criteria or factors whose concurrence or
absence is assessed to graduate the amount of the fine. Section 2 of article 83

of the GDPR establishes:

“Administrative fines shall be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in
article 58, section 2, letters a) to h) and j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:

(a) the nature, gravity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as
the number of data subjects affected and the level of damage suffered by them;

(b) the intent or negligence of the infringement;
(c) any measures taken by the controller or processor to
mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor,
taking into account any technical or organisational measures implemented by them pursuant
to Articles 25 and 32;

(e) any previous infringements committed by the controller or processor;
(f) the degree of cooperation with the supervisory authority in order to remedy the infringement and
mitigate any adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in

particular whether the controller or processor notified the infringement and, if so, to what
extent;
(i) where measures referred to in Article 58(2) have been previously
ordered against the controller or processor concerned in relation to the
same matter, compliance with those measures;

(j) adherence to codes of conduct pursuant to Article 40 or to approved
certification mechanisms pursuant to Article 42, and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”

Regarding paragraph k) of Article 83.2 of the GDPR, the LOPDGDD, Article 76,
“Penalties and corrective measures”, provides:

“2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679,
the following may also be taken into account:

a) The continuous nature of the infringement.
b) The connection between the offender's activity and the processing of personal data.

c) The benefits obtained as a result of committing the infringement.

d) The possibility that the affected party's conduct could have led to the commission of the infringement.

e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity.

f) The impact on the rights of minors.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 68/73

g) Having, when not mandatory, a data protection officer.
h) The voluntary submission by the controller or person in charge to alternative dispute resolution mechanisms, in those cases in which

there are disputes between them and any interested party.”

The turnover of LINEA DIRECTA during the 2022 financial year exceeded
***AMOUNT.3 euros (***AMOUNT.1).

Violation of article 6.1 of the GDPR, classified in article 83.5.a) GDPR.

Considering the proven facts, in relation to the violation of article
6.1. of the GDPR, the following circumstances are considered to act as aggravating factors
for the purposes of determining the amount of the fine, since they entail greater
fault of the responsible entity and/or unlawfulness of the offending conduct:

-Circumstance of article 83.2.a): the seriousness and duration of the violation taking into account
the nature, scope or purpose of the processing operation in question.

The processing of the complaining party's personal data that materializes in the

violation of article 6.1. RGPD is part of an operation that LINEA DIRECTA
carried out in order to know the real data of the interested party's points balance
during the negotiation prior to contracting car insurance and that
involves a special seriousness from the point of view of its nature and its
purpose. In this regard we indicate:

 The respondent articulated a mechanism of access to a registry kept by a
public body, the DGT, taking advantage of a weakness of the computer application
in the authentication of the identity of the data holder, the only one
enabled to make the online consultation according to the information offered by the

DGT's own website (see Proven Fact Seven)

 The respondent designed a way of accessing the data of the interested parties'
points that bypassed the system that the DGT had configured, according to which
only the data holders accessed online the data that

concern them. Although it did not allow consultation through a representative, in any case it did not
allow access through its website, which, as we have indicated, was restricted to "(...)".

Furthermore, the seriousness of the conduct is affected by the fact that the processing operation was
carried out within the framework of the basic activities of LINEA DIRECTA -

the distribution of its insurance policies - and that it was presented to the clients as
another step in the insurance contracting process. Also, the number of potential affected parties taking into account the period of time in which this
processing has been carried out, at least for 12 months.

-Circumstance of article 83.2.b): "the intentionality or negligence in the infringement".

In the processing of data carried out, the defendant acted with a very serious lack of
diligence that represents an "addition" of culpability and exceeds what is
necessary to integrate the subjective element of the infringement.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 69/73

The reason is that the processing carried out by LINEA DIRECTA - the consultation of the claimant's points balance through the DGT website - is carried out with full

awareness and knowledge that it could not access the information on points
registered with the DGT through the channel used since it was reserved for the
interested person himself.

That fact, that LINEA DIRECTA in carrying out this processing - the consultation of the
points through the DGT website - evaded the control designed by this

General Directorate, however weak it was, is obvious. To this end, we mention the
explanation offered by the respondent party on the reasons for which it ended
these treatments (first allegation of the written allegations to the start agreement)
It is also inferred from some of the indications included in the LDA
Motor Emission Manual provided with its allegations to the start agreement. In particular, in the

general steps that the operator must follow to make the query through the DGT website (Proven Fact eighteenth) point 6, which says:

“6. On the next screen, we will include the email that has been generated
automatically (@ reflected in the header). If the client had made the query previously, their email address will appear loaded. We must

delete it and include the one that we have generated automatically so that the
process is completed correctly.” (Emphasis added)

- Circumstance of article 83.2.k) RGPD connected with article 76.2.b) LOPDGDD:

The obvious link between the business activity of the respondent and the processing of
personal data. For its insurance activity, LÍNEA DIRECTA needs to process
personal data, which affects the level of risk involved in the
processing it carries out.

In this regard, we may cite the SAN of 17/10/2007 (Rec. 63/2006), issued during the validity of Organic Law 15/1999, but whose ruling is applicable at present, which, regarding the degree of diligence that the responsible party is obliged to display in the fulfillment of the obligations imposed by the aforementioned Organic Law, the National Court, after referring to the fact that entities in which the development of their activity involves a continuous processing of data of clients and third parties must observe an adequate level of diligence, declares that “[...]. The Supreme Court has understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to the
professionalism or otherwise of the subject, and there is no doubt that, in the case now examined,

when the activity of the appellant is one of constant and abundant handling of personal data,

rigor and exquisite care must be insisted upon in order to comply with the
legal provisions in this regard."

- Circumstance of articles 83.2.g) the categories of personal data

affected by the infringement.

In this respect, it is taken into account that the data subject to processing in the case
analyzed has been the NIF, data that was processed for a purpose other than that for

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 70/73

which it was collected from the interested party; the date of issue of the driving license and the
data of the 11 points that the applicant for the insurance had at that time according to the
information provided by the MAJOREL employee after the consultation and, in

consideration of which, they apply a discount on the insurance premium that almost reaches
50%.

Regarding the data on driving licence points, disregarding the references to
the aforementioned ECJ and to the application of article 10 of the GDPR to the case, it should be
emphasized that the fact that the LÍNEA DIRECTA campaign is called “15

points” and that the respondent states in its allegations to the proposed resolution
that it only applies a discount if the 15 points are held (which has not
happened in the case analysed), from the point of view that concerns us, what is relevant
is that the query is made to find out the balance in question, to find out whether or not it is
15 points, and on that occasion the real balance is known, that is, as has happened here,

11 points. It should be noted that, given the points system implemented in
Spain, except for a new driver, the starting point is 12 points and that the
loss of points, as expressly stated in the regulatory regulations, occurs
as a consequence of a serious or very serious infringement of the traffic code. This
means that information is being accessed that is especially sensitive for the
interested party.

No mitigating circumstances are appreciated.

Considering the criteria of articles 83.1. and 83.2 of the GDPR, it is agreed
to sanction the infringement of article 6.1 of the GDPR attributed to the respondent party with

an administrative fine of €100,000 (one hundred thousand euros)

Infringement of article 28 of the GDPR, classified in article 83.4 of the GDPR.

The following factors of article 83.2 of the GDPR are present as aggravating circumstances
which reflect a greater unlawfulness of the allegedly infringing conduct and/or
the culpability of the respondent party:

-Article 83.2.a): the seriousness and duration of the infringement taking into account the
nature, scope or purpose of the processing operation in question.

In the breach by LÍNEA DIRECTA of the obligation of article 28.3 of the GDPR
certain circumstances occur which show the seriousness of this
breach.

 This obligation is not only imposed on the respondent by the GDPR, but
also by its sectorial regulations, article 203 of RDL 3/2020.
 Due to the characteristics, purpose and means of the treatment operation
that constitutes the object of the order that LÍNEA DIRECTA makes to MAJOREL:

consult the applicant's points balance for the insurance through the DGT website using the NIF data for a purpose other than that for which it was
provided and evading the DGT instructions on who is authorized to access its website to make this query.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 71/73

 Due to the numerous treatments that have been carried out by the person in charge on
behalf of LÍNEA DIRECTA. The absence of a contract or other binding legal instrument affects all holders of personal data that

were processed by the data processor.

When assessing the seriousness of the infringement, the “purpose” of the
processing operation is also taken into account, and that this processing is carried out in the context of its business activity, the
marketing of car insurance policies.

- Circumstance of article 83.2.b): “the intentionality or negligence in the infringement”.

The lack of diligence demonstrated by the respondent party in the conduct that violates
article 28 of the GDPR is classified as very serious and exceeds that necessary to constitute

the subjective element of the infringement. The absence of a contract or other binding legal instrument affects all insurance applicants whose points balance was consulted by MAJOREL on behalf of LÍNEA DIRECTA, which shows a serious lack of diligence that represents an "addition" of culpability and exceeds what is essential to integrate the subjective element of the infringement. The obligations imposed on the respondent party in relation to article 28.3 of the GDPR by its sectoral insurance regulations cannot be ignored: article 203 and 204 of R.D.L. 3/2020

- Circumstance of article 83.2.k) GDPR connected with article 76.2.b) LOPDGDD:

The link between the respondent's business activity and the processing of personal data is evident: LÍNEA DIRECTA carries out its activity in the field of
insurance.

No mitigating circumstances are noted.

In accordance with the criteria of articles 83.1 and 83.2 of the GDPR, it is agreed to sanction
for the infringement of article 28 of the GDPR attributed to LINEA DIRECTA with a fine of
€200,000 (two hundred thousand euros).

IX

Corrective measures

In accordance with the provisions of article 58.2 d) of the GDPR, according to which each
control authority may “order the controller or processor to
comply processing operations with the provisions of this

Regulation, where appropriate, in a certain manner and within a specified

period…”, it is agreed to order LÍNEA DIRECTA to adopt the necessary
measures to adjust its actions to the provisions of article 28 of the GDPR. In
particular, it must adapt the data processing contracts it has signed with
insurance agents to the requirements of article 28 of the GDPR. The period in which
it must adopt the measures would be three months from the date the sanctioning
resolution became enforceable.

The imposition of this measure is compatible with the sanction consisting of an administrative
fine, as provided for in article 83.2 of the GDPR.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 72/73

It is noted that failure to comply with the requirements of this body may be
considered an administrative infringement in accordance with the provisions of the GDPR,

classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the
opening of a subsequent administrative sanctioning procedure.

Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE on LÍNEA DIRECTA ASEGURADORA, S.A., COMPAÑÍA DE
SEGUROS Y REASEGUROS, with NIF A80871031:

1. For an infringement of article 6.1 of the GDPR, classified in article 83.5.a) of the

GDPR, an administrative fine (article 58.2.,i) in the amount of €100,000
(one hundred thousand euros)

2. For an infringement of article 28 of the GDPR, classified in article 83.4.a) of the
GDPR, an administrative fine (article 58.2.i) in the amount of €200,000
(two hundred thousand euros)

SECOND: ORDER LÍNEA DIRECTA ASEGURADORA, S.A., COMPAÑÍA DE SEGUROS Y REASEGUROS, with NIF A80871031, that pursuant to article 58.2.d)
of the RGPD, within three months from the date this resolution becomes final and
executive, it must prove that it has complied with the necessary measures to

adjust its actions to the provisions of articles 6 and 28 of the RGPD in the terms
indicated in this resolution.

THIRD: NOTIFY this resolution to LÍNEA DIRECTA ASEGURADORA,
S.A., COMPAÑÍA DE SEGUROS Y REASEGUROS, with NIF A80871031.

THIRD: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration has ended (one month from the day following the notification of this resolution) without the interested party having made use of this right. The sanctioned party is hereby notified that he/she must pay the sanction imposed once
this resolution becomes enforceable, in accordance with the provisions of article

98.1.b) of the LPACAP, within the voluntary payment period established in article 68 of the
General Collection Regulations, approved by Royal Decree 939/2005, of 29 July, in relation to article 62 of Law 58/2003, of 17 December, by
paying it, indicating the NIF of the sanctioned party and the procedure number that appears
in the heading of this document, in the restricted account number IBAN: ES00-

0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name
of the Spanish Data Protection Agency at the banking entity CAIXABANK,
S.A. Otherwise, the collection will be carried out during the enforcement period.

Once the notification has been received and has become enforceable, if the date of enforcement is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 73/73

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with article 48.6
of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month from
the day following the notification of this resolution or directly
a contentious administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.

Finally, it is noted that, in accordance with the provisions of the Article 90.3 a) of the LPACAP,
the final resolution may be provisionally suspended by administrative means if the
interested party expresses his intention to lodge an administrative appeal.
If this is the case, the interested party must formally communicate this fact by means

of a letter addressed to the Spanish Data Protection Agency, presenting it through
the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in article 16.4 of
the aforementioned LPACAP. He must also transfer to the Agency the documentation that proves
the effective filing of the administrative appeal. If the Agency

is not aware of the filing of the administrative appeal within
two months from the day following notification of this resolution,
the provisional suspension would be terminated.

938-16012024

Mar España Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es