AEPD (Spain) - EXP202104875
AEPD - PS/00634/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 15.11.2022 |
Fine: | 80,000 EUR |
Parties: | BANKINTER, S.A. |
National Case Number/Name: | PS/00634/2021 |
European Case Law Identifier: | n/a |
Appeal: | Appealed - Confirmed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | CSO |
The Spanish DPA fined a bank €80,000 for a breach of Article 32 GDPR due to lack of adequate technical and organisational measures. The controller also breached the principle of confidentiality by accidentally disclosing personal data of customers to a third party.
English Summary
Facts
The data subject was a customer of Bankinter (the controller). On 15 July 2021, the data subject accessed their online banking account in order to check a payment. They discovered that they could also view another person's banking information on the account. The data subject then contacted the controller's customer service department. However, they did not receive any news nor was the incident corrected. Therefore, the data subject complained about the security breach to the Spanish DPA.
The DPA initiated a sanctioning procedure and carried out an initial investigation.
Holding
First, the DPA held that the controller was responsible, in accordance with Article 32 GDPR, for implementing the appropriate technical and organisational measures and ensuring a level of security appropriate to the risk in order to safeguard the confidentiality of the data. The controller violated Article 32 GDPR, by allowing the data subject access to personal data of a third party via an online banking account.
Second, the DPA recalled that the GDPR does not establish a list of security measures that are applicable according to the data that are processed, but rather establishes that the controller shall apply technical and organisational measures that are appropriate to the risk of the data being processed. For that purpose, it is necessary to take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, the risks of likelihood and severity for the rights and freedoms of the data subjects.
In the present case, the controller alleged that they granted special relevance to the protection of the confidentiality of the information under its control, for which it developed codes, policies and procedures aimed at guaranteeing the protection of said information. However, this statement was not accepted by the DPA, which argued that it was obvious from the incident that the technical and organisational measures implemented failed.
The DPA initially proposed a fine of €60,000 for breach of confidentiality and €40,000 for not adopting adequate technical and organisational measures. However, due to voluntary payment, the overall sum was reduced to €80,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/19 File No.: EXP202104875 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On February 1, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate sanction proceedings against BANKINTER, S.A. (hereinafter the claimed party). Once the initiation agreement has been notified and after analyzing the allegations presented, on September 8, 2022 the proposal was issued resolution that is transcribed below: << File no.: EXP202104875 PROPOSED RESOLUTION OF SANCTION PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: D.A.A.A. (hereinafter, the claimant) dated 10/08/2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against BANKINTER, S.A. with NIF A28157360 (hereinafter, the claimed party). The reasons on which the claim is based are the following: access your personal area on the website of the claimed entity, in the section corresponding to the monthly statement, not only the movements of your account are included, but also also the movements of another belonging to a third party. As a consequence of For this, on 07/16/2021 he files a claim with the Customer Service of said entity and receives a response on 07/22/2021, reporting the start of the timely actions without having received any further news in this regard, in addition to not the incident has been corrected. Provide a printout of the "monthly statement" document that appears in the personal area of the claimant, corresponding to the month of June 2017, as well as the claim e-mail and answer offered. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), said claim was transferred to the claimed party, for to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/19 No response to this letter has been received. THIRD: On 12/29/2021 [the Director of the Spanish Protection Agency de Datos agreed to admit the claim presented by the claimant for processing. FOURTH: On 02/01/2022, the Director of the Spanish Protection Agency of Data agreed to start a sanctioning procedure against the person claimed by the alleged violation of articles 5.1.f) and 32.1 of the GDPR, typified in articles 83.5.a) and 83.4.a) of the aforementioned Regulation. FIFTH: Notified of the initiation agreement, the defendant requested the extension on 02/09/2022 the deadline to answer and 02/14/2022 copy of the file; expansion that was granted and copy that was transferred on 02/11/2022 and 02/14/2022 respectively. The defendant submitted a brief of allegations on 02/25/2022 stating, in summary: that it is not true, as stated in the initiation agreement, that it did not respond to the requirements of the AEPD, since the response occurred on 12/27/2021; that the incident was caused by an error when managing the change of ownership of the other account of which in the past he was a co-owner, not updating correctly the information that appeared in the claimant's “monthly statement” document, to exclude that relating to the other account; the absence of fraud and guilt in the action of the defendant; the non-existence of infringement of article 32.1 of the GDPR to the have the claimed implemented appropriate technical and organizational measures; the existence of medial contest of infractions; disproportionate sanctions proposals and the necessary applications of mitigating factors and the absence of aggravating factors; the filing of the procedure and subsidiarily the reduction of sanctions proposals. SIXTH: On 03/29/2022, the procedure instructor agreed to open a period of practice tests, agreeing on the following: - Consider reproduced for evidentiary purposes the claims filed by the claimants and their documentation, the documents obtained and generated by the Inspection Services that are part of the file. - Consider reproduced for evidentiary purposes, the allegations to the agreement of beginning presented by the defendant and the documentation that accompanies it. SEVENTH: Of the actions carried out in this procedure, have been accredited the following proven facts: 1. On 10/08/2021, a written entry from the claimant was entered in the AEPD stating that at access the website of the defendant, personal area section corresponding to extract monthly, not only the movements of your account are shown, but also the movements from another account belonging to a third party; complaint filed with the Service of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/19 Customer Service received a response informing them of the start of the proceedings opportune, without having received further news in this regard, in addition to not having corrected the incident. 2. There is a copy of the claimant's DNI. 3. There is a copy of the integral monthly extract of June 2021 related to the movements of account no. ***ACCOUNT.1 of which the claimant is the owner, as well as of the movements of the account ***ACCOUNT.2 whose owner is a third person. 4. There is an email sent by the claimant to the claimant dated 07/16/2021, which states the following: “Yesterday, Thursday, July 15, I accessed my personal account on the website of Bankinter in order to check a payment made last month. I was reviewing the movements of my account when, what is my surprise to discover that The movements of another account of which I am not the owner also appear. that other account, as shown. corresponds to a "gold pension current account". (…) In accordance with the foregoing, I request that you proceed to the immediate correction of this situation. (…)” 5. There is a response to the email, dated 07/22/2021, stating: "Dear Customer: We proceed to carry out the appropriate steps based on the situation raised”. 6. The defendant has provided a letter sent to the claimant dated 08/19/2021 in the which indicates the following: "Regarding the situation raised by you, we inform you that we have transferred your comments to the commercial managers of your accounts to discuss this issue. Thanking you as always for the trust you have placed in Bankinter, we continue to available through Telephone Banking, at bankinter.com or at any point of our Commercial Network. Likewise, we know that they have tried to reach him several times by phone without success. For any questions regarding the claim, you can call us at the Customer Service Customer Service (Tel. 900 802 081), providing us with the reference number”. 7. The defendant in writing dated 02/25/2022 has stated that: "Actually, the situation was caused by an error when managing the change of ownership of the Other Account (as the Claimant himself stated in the Brief). I don't know had completely withdrawn access to the information of the Other Account (of which he had been co-owner) when the change of ownership occurred, to the extent in which the information that appeared in the document was not updated correctly "monthly statement" of the Claimant, to exclude that relating to the Other Account". C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/19 FUNDAMENTALS OF LAW Yo By virtue of the powers that article 58.2 of the GDPR recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, for the regulatory provisions dictated in its development and, as soon as they are not contradict, on a subsidiary basis, by the general rules on the administrative procedures.” II The denounced facts materialize in the visualization, when accessing the monthly statement of your account on the claimant's website, not just your data personal but to the data of a third person (account number and movements of the same), violating the duty of confidentiality motivated by an incident of security due to breach of technical and organizational measures. Article 58 of the GDPR, Powers, states: "two. Each supervisory authority shall have all the following powers corrections listed below: (…) b) penalize any person in charge or person in charge of the treatment with warning when the processing operations have infringed the provided in this Regulation; (…)” First of all, article 5, Principles relating to treatment, of the GDPR states that: "1. Personal data will be: (…) f) processed in such a way as to guarantee adequate security of the personal data, including protection against unauthorized processing or illicit and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures ("integrity and confidentiality"). (…)” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/19 II 1. First, the defendant in writing 02/25/2022 alleged that the 12/27/2021, through the Agency's electronic headquarters, responded to the Transfers of Claim and Request for Information, as reflected in those in the File itself containing a copy of the response offered and that in the Initiation Agreement, it is indicated that no response has been received to the Transfers of Claim and Information Request. Obviously it is an error because the defendant is true that he answered, such and as stated in the file, although such circumstance is contrary to what is alleged by the defendant would not have implied the inadmissibility of the claim or non-compliance of the norms that regulate the procedure in light of the information offered by the same. Secondly, in a brief of 04/07/2022, it alleged that the defendant did not There was no record or procedure with the AEPD that corresponds to the reference numbers (PS/00634/2021 or E/12527/2021) and requested confirmation of the existence of said error and, in particular, that the reference to "the documents obtained and generated that are part of procedure E/12527/2021” was also erroneous, there being no other procedure or documents of which Bankinter has proof (otherwise, the Agency is requested to provide Bankinter with this information together with the complete administrative file); and "it is corrected formally said error, so that said Agreement is rectified in the file”. On 02/07/2022, the defendant was notified of the Commencement Agreement Sanctioning Procedure, appearing in the header of the same the reference to the File No.: EXP202104875, that is, the same one that appears in the Proposal that is issues and numbering produced by the internal system. Subsequently, the defendant has requested a copy of the file and will have been able to verify that the documents that make up the administrative file are correspond to those provided by the claimant, those generated by the AEPD and the provided by the claimant. Likewise, on 03/29/2022 the opening of the test period was notified and the Contrary to the previous letter, there is a reference to the disciplinary procedure File No. PS/00634/2021 and in the second point of the AGREEMENT, it is indicated requirement that the defendant himself indicated in his allegations to the initiation agreement; in regarding the reference to the aforementioned numbers both of the disciplinary procedure and the file are figures provided by the internal application system and that nothing have to do with different files (thus the number of disciplinary procedure is a code number provided by the system in relation to the file procedural) but that have nothing to do with files or documents other than those that the defendant has in his possession and that are part of the file administrative, so there is no other procedure or other documentation of which Bankinter is not aware of. In short, the unique file number that appears on the settlement agreement home includes all the internal numbers that identify the procedures carried out with C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/19 above, which all refer to the same claim; what he could check upon receipt of the copy of the entire file 2. As we pointed out in the previous foundation, article 5, Principles regarding treatment, establishes in its letter f) the following: “The personal data will be: (…) f) processed in such a way as to guarantee adequate security of the personal data, including protection against unauthorized or unlawful processing and against its loss, destruction or accidental damage, through the application of measures appropriate technical or organizational ("integrity and confidentiality") (…)” What the GDPR comes to point out is that the technical and organizational measures adopted must be aimed at preventing unauthorized access or use of said data and the equipment used in the treatment. In this same sense, Recital 39 states that "... All reasonable measures to ensure that the data is rectified or deleted personal information that is inaccurate. Personal data must be processed in a way that ensure adequate security and confidentiality of personal data, including to prevent unauthorized access or use of such data and equipment used in treatment. This principle is reinforced in recital 49 of the GDPR, stating that the processing of personal data will be carried out..."to the extent strictly necessary and provided to ensure the security of the network and information, that is, the capacity of a network or an information system to resist, at a certain level of trust, to accidental events or illegal or malicious actions that compromise the availability, authenticity, integrity and confidentiality of the personal data stored or transmitted (…).” The documentation in the file offers clear indications that the claimed, violated article 5 of the GDPR, duty of confidentiality, by enabling the visualization in your monthly bank statement, not only the movements of your account, but also those relating to a third person. As it appears in the proven facts, a copy of the extract is provided comprehensive monthly corresponding to June 2021 in which the movements of the account of which the claimant is the holder, as well as the movements related to a second account owned by a third person. The duty of confidentiality, previously the duty of secrecy, must understood that its purpose is to prevent leaks of data not consented by the holders of the same. The duty of confidentiality is an obligation that is incumbent not only on the responsible and in charge of the treatment but to anyone who intervenes in any treatment phase and complementary to the duty of professional secrecy. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/19 The defendant himself in his brief of 04/07/2022 has stated that "In Actually, the situation was caused by an error when managing the change of ownership of the Other Account (as the Claimant himself stated in the Brief). Access to the Other's information had not been completely withdrawn. Account (of which he had been co-owner) at the time of the change of ownership of the itself, to the extent that the information that appeared in the Claimant's "monthly statement" document, to exclude that regarding the Other Account” and, furthermore, that “when he received the Transfers of Complaint and Information Request, Bankinter was able to understand exactly what happened, undoing the previous misunderstanding and adopted measures to solve the incidence” (underlining corresponds to the AEPD). Therefore, it is considered that the defendant is responsible for the infringement of the article 5.1.f) of the RGPD, infringement typified in its article 83.5.a) of the aforementioned regulation. IV. Article 83.5 a) of the GDPR, considers that the infringement of "the principles principles for treatment, including the conditions for consent under of articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the mentioned article 83 of the aforementioned GDPR, "with administrative fines of €20,000,000 maximum or, in the case of a company, an amount equivalent to 4% as maximum of the overall annual total turnover of the previous financial year, opting for the one with the highest amount”. The LOPDGDD in its article 72 indicates: "Infractions considered very serious: 1. Based on what is established in article 83.5 of the Regulation (EU) 2016/679 are considered very serious and the infractions that suppose a substantial violation of the articles mentioned in that and, in particular, the following: a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” V Secondly, article 32 of the GDPR "Security of treatment", states that: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of processing, as well as risks of variable probability and severity for the rights and freedoms of individuals physical, the person in charge and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which may include, among others: a) the pseudonymization and encryption of personal data; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/19 b) the ability to ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness technical and organizational measures to guarantee the safety of the treatment. 2. When evaluating the adequacy of the level of security, particular attention should be paid to take into account the risks presented by data processing, in particular as consequence of the destruction, loss or accidental or illegal alteration of data personal information transmitted, preserved or processed in another way, or the communication or unauthorized access to such data. 3. Adherence to an approved code of conduct pursuant to article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The person in charge and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the controller or the manager and has access to personal data can only process such data following the instructions of the person in charge, unless it is obliged to do so by virtue of the Law of the Union or of the Member States”. SAW The violation of article 32 of the GDPR is typified in article 83.4.a) of the aforementioned GDPR in the following terms: "4. Violations of the following provisions will be penalized, according to with paragraph 2, with administrative fines of maximum EUR 10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the obligations of the person in charge and the person in charge according to articles 8, 11, 25 to 39, 42 and 43. (…)” For its part, the LOPDGDD in its article 73, for prescription purposes, qualifies of "Infringements considered serious": According to what is established in article 83.4 of Regulation (EU) 2016/679 are considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) g) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented in accordance with C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/19 to what is required by article 32.1 of Regulation (EU) 2016/679”. (…)” The facts disclosed in this claim materialize also in the breach of technical and organizational measures, violating the data confidentiality. VII 1. The GDPR defines personal data breaches as “all those security violations that cause the destruction, loss or accidental or illegal alteration of personal data transmitted, stored or processed otherwise, or unauthorized disclosure of or access to such data.” The documentation provided to the file shows that the defendant has violated article 32 of the GDPR, when a security incident occurred by allowing access to the claimant to the personal data of a third party, when viewing in their area personnel from the entity's website the movements of another person's account. It should be noted that the GDPR in the aforementioned precept does not establish a list of the security measures that are applicable according to the data that is object of treatment, but it establishes that the person in charge and the person in charge of the treatment will apply technical and organizational measures that are appropriate to the risk that entails the treatment, taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the treatment, the risks of probability and seriousness for the rights and freedoms of the persons concerned. In addition, security measures must be adequate and proportionate to the risk detected, noting that the determination of the measures technical and organizational procedures must be carried out taking into account: pseudonymization and encryption, the ability to ensure confidentiality, integrity, availability and resiliency, the ability to restore availability and access to data after a incident, verification process (not audit), evaluation and assessment of the effectiveness of the measures. In any case, when evaluating the adequacy of the security level, particular account of the risks presented by data processing, such as consequence of the destruction, loss or accidental or illegal alteration of data personal information transmitted, preserved or processed in another way, or the communication or unauthorized access to said data and that could cause damages physical, material or immaterial. In this sense, recital 83 of the GDPR states that: "(83) In order to maintain security and prevent processing from infringing the provisions of this Regulation, the controller or processor must assess the risks inherent to the treatment and apply measures to mitigate them, such as encryption. These measures must ensure an adequate level of security, including the confidentiality, taking into account the state of the art and the cost of its application regarding the risks and nature of the personal data to be protect yourself. When assessing risk in relation to data security, considerations should be C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/19 take into account the risks arising from the processing of personal data, such as the destruction, loss or accidental or unlawful alteration of personal data transmitted, stored or processed in another way, or communication or access not authorized to said data, susceptible in particular to cause damages physical, material or immaterial. 2. In the present case, the defendant has alleged that he has granted a special relevance to the protection of the confidentiality of the information under its control, for which has developed codes, policies and procedures aimed at guaranteeing the protection of said information, listing below a series of measures implanted, surprising him that the AEPD accused him of a violation of art. 32 GDPR. However, such a statement cannot be accepted; it seems obvious that said incident has occurred, that is, the technical and organizational measures implemented failed due to a security incident when allowing the visualization by the claimant of the movements of the account of a third party in his personal area of the website of the entity, violating the principle of confidentiality. In accordance with the proven facts and the documentation contained in the file, the claimant addressed the defendant by sending him an e-mail on 07/16/2021, stating that "Yesterday ... I accessed my personal account on the website of Bankinter in order to consult a payment made last month. I was reviewing the movements of my account when, what is my surprise to discover that The movements of another account of which I am not the owner also appear. that other According to the figure, the account corresponds to a "current or pension account... I sense that the person who owns that gold pension account is the person with whom share the ownership of a payroll account where we deposited our corresponding payroll (my ex-partner). A possible explanation of these facts, the more predictable, is that during the steps taken at the time by the office of Bankinter so that we could put an end to joint ownership of the payroll account and pass to each have their own payroll account, there was some oversight on the part of the bank office... In accordance with the foregoing, I request that you proceed to the immediate correction of this situation". Six days later, on 07/22/2021, the defendant responded by stating: "We proceeded to carry out the appropriate steps based on the situation raised" Well, despite the fact that the situation raised by the claimant was crystal clear did not receive any response, stating that "The situation that I exposed it to the bank, it continues the same without being corrected”. Response that does not differ much from that carried out on 08/19/2021 by the claimed to the claimant "In relation to the situation raised by you, I We inform you that we have forwarded your comments to those responsible of their accounts to deal with this matter”, and which was provided on 12/27/2021 In response to the information request from the AEPD to which we referred in the point 1 of FD III. Therefore, the defendant cannot rely on the fact that it was not until he received the Complaint Transfers and Request for Information when you could understand C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/19 exactly what happened, adopting measures to solve the incident because the The claimant in his claim document and in the extracts provided made it clear: identified the type of account: "That other account, as shown, corresponds to a account "current gold pension..." and to the owner of the same "I sense that the person who owns of that gold pension account is the person with whom to share the ownership of a payroll account where we entered our corresponding payroll (my ex partner)..,". The Supreme Court in a judgment of 02/15/2022 states that: "The obligation to adopt the necessary measures to guarantee the security of personal data cannot be considered an obligation of result, which implies that produced a leaking of personal data to a third party there is responsibility regardless of the measures adopted and the activity carried out by the person responsible for the file or the treatment. In the obligations of result there is a commitment consisting of the fulfillment of a certain objective, ensuring the achievement or proposed result, In this case, guarantee the security of personal data and the absence of security leaks or breaches. In obligations of means, the commitment acquired is to adopt technical and organizational means, as well as deploy diligent activity in its implantation and use that tends to achieve the expected result with that can reasonably be classified as suitable and sufficient for its achievement, for this reason they are called obligations "of diligence" or "of behavior". The difference lies in the responsibility in both cases, because while that the obligation of result responds to a harmful result due to the failure of the security system, whatever its cause and the diligence used. In the obligation of means is enough to establish technically appropriate measures and implement and use them with reasonable care. In the latter, the sufficiency of the security measures that the responsible has to establish has to be related to the state of technology at all times and the level of protection required in relation to the data treated, but a result is not guaranteed.” The Court confirms that the design of the technical means is not sufficient and organizational requirements, since it is also necessary to correctly implementation and proper use. Therefore, the responsibility of the defendant is determined by the incident of security revealed by the claimant, since he is responsible for taking decisions aimed at effectively implementing the technical and appropriate organizational measures to guarantee a level of security appropriate to the risk to ensure the confidentiality of the data, restoring its availability and preventing access to them in the event of a physical or technical incident. However, from the documentation provided shows that the entity has not only breached this obligation, but also the adoption of measures in this regard is unknown, despite of having given transfer of the claim presented. Pursuant to the foregoing, it is estimated that the defendant would be allegedly responsible for the infringement of the GDPR: the violation of article 32, offense typified in article 83.4.a). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/19 VIII The defendant alleges the existence of a medial contest of infractions for concur the assumption referred to in art. 29.5 of Law 40/2015, of October 1, Therefore, the imposition of only one of the two sanctions would proceed, specifically, the regarding the violation of article 5.1.f) of the GDPR. The art. 29.5 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public, establishes that: "When the commission of an offense derives necessarily the commission of another or others, only the sanction must be imposed corresponding to the most serious offense committed". However, such argumentation cannot be accepted; the specific standard in data protection, that is, the GDPR, establishes in its article 83.3 that: "3. If a person in charge or a person in charge of the treatment fails to comply intentionally or negligently, for the same treatment operations or operations related parties, various provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount provided for the most serious offences. serious. We already pointed out in FD IV that the processing of personal data violating the principles and guarantees established in article 5 of the GDPR, considered as a very serious infraction, so the only limit would be established by the amount indicated in article 83.5 of the GDPR "€20,000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the one with the highest value”. IX In order to establish the administrative fine that should be imposed, the observe the provisions contained in articles 83.1 and 83.2 of the GDPR, which point out: "1. Each control authority will guarantee that the imposition of fines administrative proceedings under this article for violations of this Regulations indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an addition to or substitute for the measures contemplated in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case shall be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question as well as the number of stakeholders affected and the level of damage and damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages and losses suffered by the interested parties; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/19 d) the degree of responsibility of the controller or the person in charge of the processing, taking into account the technical or organizational measures that have applied under articles 25 and 32; e) any previous infringement committed by the person in charge or in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to put remedy the breach and mitigate the potential adverse effects of the breach; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particularly if the person in charge or the person in charge notified the infringement and, in such a case, what extent; i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person in charge or in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, direct or indirectly, through the infringement. In relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in its Article 76, "Sanctions and corrective measures", establishes that: "two. In accordance with the provisions of article 83.2.k) of the Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) Linking the activity of the offender with the performance of processing of personal data. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have led to the commission of the offence. e) The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity. f) The affectation of the rights of minors. g) Have, when it is not mandatory, a data protection delegate data. h) The submission by the person in charge or in charge, with character voluntary, alternative conflict resolution mechanisms, in those cases in which there are controversies between those and any interested." - In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, in order to set the amount of the fine to impose in the present case for the infringement typified in article 83.5.a) and article 5.1.f) of the GDPR for which the defendant is held responsible, in an initial assessment, consider the following factors concurrent: They are aggravating circumstances: - The nature, seriousness and duration of the infringement: the facts considered proven seriously affect a basic principle in the treatment of data of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/19 personal nature, such as confidentiality and integrity, and whose reproach is more seriousness revealing the data of the account of a third party, type data economic; damages caused as a result of interference in the privacy sphere of the claimant, since we must not forget that we are in the event of the infringement of a fundamental right to the protection of personal data and that the claimant has been forced to file a claim with the AGPD before the inaction of the defendant. - The activity of the allegedly infringing entity is linked to the data processing of both clients and third parties. In the activity of the entity claimed, the processing of personal data is essential, therefore, given the volume of business of the same the importance of the conduct object of the This claim is undeniable (article 76.2.b) of the LOPDGDD in relation to the article 83.2.k). - Although it cannot be argued that the defendant acted intentionally, there is no doubt that there is a serious lack of diligence in his performance. Connected with the degree of diligence that the data controller is obliged to deploy in compliance with the obligations imposed by the data protection regulations, the SAN of 10/17/2007 can be cited. although it was issued before the entry into force of the GDPR, its pronouncement is perfectly extrapolated to the assumption that we analyse. The ruling, after alluding to the fact that the entities in which the development of their activity entails a continuous treatment of data of clients and third parties must observe an adequate level of diligence, specified that "(...) the Supreme Court has been understanding that there is imprudence whenever a legal duty of care is neglected, that is, when the offender does not behaves with the required diligence. And in assessing the degree of diligence must especially the professionalism or not of the subject should be considered, and there is no doubt that, in the case now examined, when the appellant's activity is constant and copious handling of personal data must insist on rigor and exquisite care to comply with the legal provisions in this regard” (article 83.2, b) of the GDPR). - The volume of business of the defendant is one of the entities leading financial institutions in the Spanish market, by business purpose (article 83.2, k) of the GDPR). Extenuating circumstances are considered: - Only one person has been affected by the infringing conduct. In accordance with the above factors, it is deemed appropriate to impose on the defendant for violation of article 5.1.f) of the GDPR, a penalty of 60,000 euros. - In accordance with the precepts transcribed, for the purpose of setting the amount of the sanction of a fine to be imposed in the present case for the offense typified in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/19 Article 83.4.a) and Article 32.1 of the GDPR for which the defendant is held responsible, in In an initial assessment, the following factors are considered concurrent: They are aggravating circumstances: - The nature, seriousness and duration of the infringement: the facts considered proven affect a basic issue in data protection such as the security of the same, allowing the access of the claimant to the data of a third, his ex-partner, as a consequence of the security incident and his absence from response, initially, to the claim filed by the claimant, which motivated him to contact the AEPD (article 83.2, a) of the GDPR). - The activity of the allegedly infringing entity is linked to the data processing of both clients and third parties. In the activity of the entity claimed, the processing of personal data is essential, therefore, given the volume of business of the same the importance of the conduct object of the This claim is undeniable (article 76.2.b) of the LOPDGDD in relation to the article 83.2.k). - Although it cannot be argued that the defendant acted intentionally, there is no doubt that there is a serious lack of diligence in his performance. Connected with the degree of diligence that the data controller is obliged to deploy in compliance with the obligations imposed by the data protection regulations, the SAN of 10/17/2007 can be cited. although it was issued before the entry into force of the GDPR, its pronouncement is perfectly extrapolated to the assumption that we analyse. The ruling, after alluding to the fact that the entities in which the development of their activity entails a continuous treatment of data of clients and third parties must observe an adequate level of diligence, specified that "(...) the Supreme Court has been understanding that there is imprudence whenever a legal duty of care is neglected, that is, when the offender does not behaves with the required diligence. And in assessing the degree of diligence must especially the professionalism or not of the subject should be considered, and there is no doubt that, in the case now examined, when the appellant's activity is constant and copious handling of personal data must insist on rigor and exquisite care to comply with the legal provisions in this regard” (article 83.2, b) of the GDPR). - The volume of business of the defendant is one of the entities leading financial institutions in the Spanish market, by business purpose (article 83.2, k) of the GDPR). Extenuating circumstances are considered: - Only one person has been affected by the infringing conduct. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/19 In accordance with the above factors, it is deemed appropriate to impose on the defendant for violation of article 32.1 of the GDPR a penalty of 40,000 euros. In view of the foregoing, the following is issued PROPOSED RESOLUTION FIRST. That by the Director of the Spanish Data Protection Agency penalize BANKINTER, S.A., with NIF A28157360, for a violation of article 5.1.f) of the GDPR, typified in article 83.5, a) of the GDPR, with a fine of €60,000 (sixty thousand euros). SECOND. That by the Director of the Spanish Data Protection Agency penalize BANKINTER, S.A., with NIF A28157360, for a violation of article 32.1 of the GDPR, typified in article 83.4, a) of the GDPR, with a fine of €40,000 (forty thousand euros). Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be informs that it may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which It will mean a reduction of 20% of the amount of the same. With the application of this reduction, the total sanction would be established at €80,000 (eighty thousand euros) and its payment will imply the termination of the procedure. The effectiveness of this reduction will be conditioned to the withdrawal or resignation of any action or appeal via administrative against the sanction. In case you choose to proceed to the voluntary payment of the specified amount above, in accordance with the provisions of the aforementioned article 85.2, you must do it effective by depositing it in the restricted account no. ES00 0000 0000 0000 0000 0000 open in the name of the Spanish Data Protection Agency in the entity bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause, for voluntary payment, reduction of the amount of the sanction. You must also send the Proof of admission to the Sub-Directorate General of Inspection to proceed to close The file. In accordance with the provisions of article 76.4 of the LOPDGDD and given that the amount of the sanction imposed is greater than one million euros, it will be subject to publication in the Official State Gazette of the information that identifies the offender, the infraction committed and the amount of the sanction. By virtue of this, you are notified of the foregoing, and the procedure is revealed. so that within TEN DAYS you can allege whatever you consider in your defense and present the documents and information that it deems pertinent, in accordance with Article 89.2 of the LPACAP. R.R.R. INSPECTOR/INSTRUCTOR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/19 EXHIBIT File index EXP202104875 10/08/2021 A.A.A. 10/11/2021 A.A.A. 11/24/2021 Transfer of claim to BANKINTER, S.A. 11/25/2021 Transfer of claim 2 to BANKINTER, S.A. 12/27/2021 Allegations by BANKINTER, S.A. 12/29/2021 Admission for processing to A.A.A. 02/02/2022 Opening of BANKINTER, S.A. 02/07/2022 Information. Claimant to A.A.A. 02/09/2022 Term extension request from BANKINTER S.A 02/09/2022 Request for term extension from BANKINTER.S. A 02/11/2022 Amp. Term to BANKINTER, S.A. 02/14/2022 Request for a copy of the BANKINTER.S file. A 02/14/2022 Transfer to BANKINTER, S.A. 02/25/2022 Allegations of BANKINTER.S. A 03/29/2022 Test period notification >> SECOND: On September 22, 2022, the claimed party has proceeded to the payment of the penalty in the amount of 80,000 euros using the reduction provided for in the motion for a resolution transcribed above. THIRD: The payment made entails the waiver of any action or resource in the against the sanction, in relation to the facts referred to in the resolution proposal. FUNDAMENTALS OF LAW C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/19 Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations (hereinafter LPACAP), under the heading "Termination in disciplinary proceedings" provides the following: "1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the presumed perpetrator, in any moment prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offence. 3. In both cases, when the sanction is solely pecuniary in nature, the The competent body to resolve the procedure will apply reductions of at least 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or resource against the sanction. The percentage reduction provided for in this section may be increased according to regulations." According to what has been stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202104875, in in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to BANKINTER, S.A.. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/19 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 968-230822 Mar Spain Marti Director of the Spanish Data Protection Agency 28001 – Madrid 6 sedeagpd.gob.es