AEPD (Spain) - PS/00241/2022
AEPD - PS/00241/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 09.03.2021 |
Decided: | |
Published: | |
Fine: | 100.000 EUR |
Parties: | Ibercaja |
National Case Number/Name: | PS/00241/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Bernardo Armentano |
AEPD fined Ibercaja - a bank - €100.000 for opening an account in the name of a minor during an inheritance process without having obtained the specific and unambiguous consent of the mother, in breach of Article 6(1) GDPR.
English Summary
Facts
A woman provided her personal data and the personal data of her children to the Spanish bank Ibercaja with the intention of obtaining balances of a deceased person and initiating an inheritance process. Subsequently, she filed a complaint with the AEPD claiming that, during the process, Ibercaja shared these data with the lawyer of the other co-heirs and with a life insurance company. She also claimed that the bank opened an account in the name of her minor child for the deposit of inheritance funds without her knowledge. When asked to provide a proof of prior consent, the bank confirmed that there was no authorisation but alleged that the account was inactive and that is was necessary for the distribution and adjudication of the deceased's assets. It highlighted that these assets were in its custody and that the mother requested the processing of the deceased's will.
Holding
The AEPD stated that the bank account do not necessarily have to opened in the same bank as the one of the deceased person, but rather in any other financial institution of the heirs' choice. The DPA emphasised that, although the account was not active, the mere insertion of the minors' personal data into the bank's information systems was illegal since it was not authorized by their legal representative.
With regard to the argument that the mother requested the processing of the deceased's will, the DPA pointed out that this does not imply per se that the bank can use all the data in its possession for any purpose. It recalled that the GDPR requires controllers to obtain informed and unambiguous consent for each of the purposes of the personal data processing. Thus, the fact that the claimant provided her personal data with the intention of obtaining the bank balances does not allow it to process these data for other purposes, such as the creation of a bank account in the name of one of her minor children.
On this basis, the AEPD found a violation of Article 6 GDPR and fined Ibercaja €100.000. However, it considered that the transfer of data to unauthorised third parties was not proven.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.